{"id":"MAL-2026-5857","summary":"Malicious code in event-metrics-q3x7 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8)\nOn install, package.json runs a postinstall hook (`node run.js`) that triggers beacon scripts (beacon20.js, beacon_linux.js) shipped in the tarball. The beacons load `child_process`, `os`, `https`, and `http`, gather host fingerprints (os.hostname(), os.platform(), process.platform, process.env) and command output via `exec(...)`, and transmit the data outbound — beacon_linux.js issues an `http.request(...)` POST containing host details, while beacon20.js performs `https.request(...)` calls including requests against the Azure management API endpoint. There is no advertised purpose that justifies a host-info beacon firing automatically at install time, and the data collected (env vars, hostname, platform, command output) is classic installer-side reconnaissance and credential-surface telemetry. Installing this package executes the beacon on `npm install` and leaks installer-machine information to the embedded destinations.\n","modified":"2026-06-16T02:31:45.519586496Z","published":"2026-06-16T02:14:05Z","database_specific":{"malicious-packages-origins":[{"sha256":"38481a7b69f79e37a538047118a05881f29da308c683571c5ab230b5288663c0","modified_time":"2026-06-16T02:14:09Z","import_time":"2026-06-16T02:23:11.889444323Z","id":"IN-MAL-2026-006734","source":"amazon-inspector","versions":["1.0.2"]},{"modified_time":"2026-06-16T02:14:09Z","id":"IN-MAL-2026-006733","versions":["1.0.1"],"source":"amazon-inspector","sha256":"fa01dc0bbee924d7db5aba6916490bc9202963bfd27c1fc558c19597f1e32f55","import_time":"2026-06-16T02:23:11.849620402Z"},{"source":"amazon-inspector","sha256":"8431eba424b46c8f132b5cf8e65e88f79e227dcf22482b8ab2d23a144f81fc8a","modified_time":"2026-06-16T02:14:07Z","import_time":"2026-06-16T02:23:11.761049598Z","id":"IN-MAL-2026-006731","versions":["1.0.7"]},{"modified_time":"2026-06-16T02:14:13Z","versions":["1.0.8"],"source":"amazon-inspector","sha256":"9059fcd730d26d7cc5542c4d80eb7e1abd89e51f253ffe4a97adfce0345a01ba","import_time":"2026-06-16T02:23:12.019267395Z","id":"IN-MAL-2026-006737"},{"modified_time":"2026-06-16T02:14:10Z","source":"amazon-inspector","sha256":"9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8","import_time":"2026-06-16T02:23:11.930944117Z","id":"IN-MAL-2026-006735","versions":["1.0.3"]},{"source":"amazon-inspector","sha256":"aad86da9d58e69db4eb1e7bf9a63166f6f11da09a012a41c2a76c99add3e3fd0","modified_time":"2026-06-16T02:14:07Z","import_time":"2026-06-16T02:23:11.821877208Z","id":"IN-MAL-2026-006732","versions":["1.0.5"]},{"modified_time":"2026-06-16T02:14:05Z","id":"IN-MAL-2026-006729","versions":["1.0.4"],"source":"amazon-inspector","sha256":"b20773f0af359b4191d9b4718f7b8d984d5c9fca236ebd8ce151e487554b8aea","import_time":"2026-06-16T02:23:11.643072088Z"},{"modified_time":"2026-06-16T02:14:11Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"ba5124f00c898366c83713400b6d4d03d01a94d927830248026bb49db66fb1ff","import_time":"2026-06-16T02:23:11.981672505Z","id":"IN-MAL-2026-006736"},{"modified_time":"2026-06-16T02:14:06Z","id":"IN-MAL-2026-006730","versions":["1.0.6"],"source":"amazon-inspector","sha256":"e3474ad4e933b73f874c39c9728accc1028c4a152768e218f2434c8a45057843","import_time":"2026-06-16T02:23:11.706793857Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/event-metrics-q3x7/v/1.0.6"}],"affected":[{"package":{"name":"event-metrics-q3x7","ecosystem":"npm","purl":"pkg:npm/event-metrics-q3x7"},"versions":["1.0.2","1.0.1","1.0.7","1.0.8","1.0.3","1.0.5","1.0.4","1.0.0","1.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/event-metrics-q3x7/MAL-2026-5857.json","indicators":{"package_integrity":[{"hashes":{"sha1":"be779559c7c8f86af296faca4bc9e414847e3983","sha512_sri":"sha512-83+n1zO+RagN1tvft+4yaUAFsPxAlU0J+1E1OtjCc5JDHPU6oJPCIOB+FWCIEGBRacuzFVEXN+L8GAr0f9YThQ=="},"filename":"event-metrics-q3x7-1.0.2.tgz"}],"evidence_files":[{"sha256":"27bd36039ac1ff44ef58fe302f7b7ef6a0316de806c379d6fcf170b35f678525","tlsh":"df02b571e8215c247592d5ad8a0b941a3137b3173a61fda0bb8e708c2fce19ec2764fd","path":"beacon19.js"},{"sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68","tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded","path":"beacon_linux.js"},{"sha256":"765d9ac3194d4ce74676a87370c4ce35e59522ddb49d50c2e18af64bb0705815","tlsh":"35f09e449c302d3359c52ed80c619989f6344f0b60547d2d427b1d2841dee7930be15d","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}