{"id":"MAL-2026-5835","summary":"Malicious code in lab-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e)\nOn `npm install`, the package's `postinstall` hook runs `sec_check.js`, which enumerates the host's network interfaces and proceeds only if an IPv4 address begins with `18.175.` — a subnet-based targeting gate that hides the behavior on most developer/CI machines. When the gate passes, the script reads `\u003cINIT_CWD\u003e/myfile.txt` from the installer's working directory and uses `curl -X POST` to upload its contents to a hardcoded plaintext C2 at `http://18.175.63.47:8080/collect`. The combination of a lifecycle-script auto-execute path, network-identity targeting to evade scanners, hardcoded bare-IP exfiltration endpoint, and reading installer-side files matches a targeted supply-chain attack against a specific environment (likely an AWS/lab subnet).\n","modified":"2026-06-15T21:46:53.078226658Z","published":"2026-06-15T21:03:46Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-15T21:33:35.606871201Z","id":"IN-MAL-2026-006719","modified_time":"2026-06-15T21:03:46Z","sha256":"9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e","source":"amazon-inspector","versions":["0.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/lab-helper/v/0.0.3"}],"affected":[{"package":{"name":"lab-helper","ecosystem":"npm","purl":"pkg:npm/lab-helper"},"versions":["0.0.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lab-helper/MAL-2026-5835.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-T92J8g9+0hIxUoa1uYrS01KtMNQkWwU64hRANqDgGjCvHlhtm3V4RHfgALlBdvgoouYHVli1qb/ae3qyZ0QdbQ==","sha1":"d10b5958ebce48d6205e430edd749c2ae4c4f74c"},"filename":"lab-helper-0.0.3.tgz"}],"evidence_files":[{"tlsh":"c31112a6458821b49cf15fe0b9351065f5b655533242ead4bcae85c60f0335043a3ff6","path":"sec_check.js","sha256":"d3c046a0459772dc6e6566817eb50799ae2ca7f068a1d01c625ec2d4f00eb3ba"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}