{"id":"MAL-2026-5884","summary":"Malicious code in vortnode (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb)\nOn `npm install`, the `preinstall` hook (`node lib/setup.js`) runs on Windows and invokes `lib/worker.js`, which downloads an executable to %LOCALAPPDATA%\\Temp (or %TEMP%) under Microsoft-update cover names (`msedge_update`, `chrome_installer`, `dotnet_host`, `onedrive_setup`, `teams_update`) and silently executes it via `spawn(fp, [], { detached: true, stdio: 'ignore', windowsHide: true })` followed by `ch.unref()`. The download URL is XOR-decoded at runtime from opaque buffers carried in the `foldmap` dependency, with a fallback chain of https → `curl.exe` → `bitsadmin` to maximize delivery; TLS verification is disabled (`rejectUnauthorized: false`); the Mark-of-the-Web `:Zone.Identifier` ADS is stripped before execution. All sensitive identifiers in `lib/worker.js` (`https`, `child_process`, `spawn`, `curl.exe`, `bitsadmin`, `powershell.exe`, `:Zone.Identifier`, env vars, cover filenames) are constructed with `String.fromCharCode(...)` to evade signature scanning. The package's advertised `index.js` API (`spawn`/`kill`/`list`/`has`) is a decoy never referenced by the install path. Any developer or CI runner installing `vortnode` on Windows executes attacker-controlled code as the current user.\n","modified":"2026-06-16T14:31:47.623435829Z","published":"2026-06-16T14:04:12Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-16T14:19:04.208207673Z","id":"IN-MAL-2026-006750","versions":["1.2.0"],"sha256":"43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb","modified_time":"2026-06-16T14:04:12Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vortnode/v/1.2.0"}],"affected":[{"package":{"name":"vortnode","ecosystem":"npm","purl":"pkg:npm/vortnode"},"versions":["1.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vortnode/MAL-2026-5884.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-NzGBg68rVjjNRk0j981d9/1p8kKGKBjKoGH+szbwwEnlfLz2BltcfGwgihu//qBwrUAywNIFfVbZWcFY0in8qA==","sha1":"d3471ad03ae9336c253b032d39993b3c363dc986"},"filename":"vortnode-1.2.0.tgz"}],"evidence_files":[{"tlsh":"43f1b0b566f60e36e523b0bc8e6e901906edf46334c4d0e4f5ece5022fbd56438249b8","path":"lib/worker.js","sha256":"735629457e653eee260ed6541b39c4d5389c8ed43b22963cab3c45ad5a7f5076"},{"tlsh":"d5f05c36cc75997330c4b6ba5d6b410325b10d5b0188b91c92db101847dd31b64ff52d","path":"package.json","sha256":"dd078b8d6b8c4349c631ba301f93daee764d4a6c0608ecc05fd5fca2dc15c6f6"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}