{"id":"MAL-2026-5972","summary":"Malicious code in canary-ci-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a572fd7ffa39ecc1ba62c71d1dfe31722bfbe0c4118b7ab8400c1d5f4a61ba0f)\nOn `npm install`, the package's postinstall lifecycle script (postinstall.js) collects installer-side host identifiers — os.hostname(), os.userInfo().username, process.cwd(), platform, and a DNS resolution result — and POSTs them as JSON to the hardcoded endpoint https://opgelost.nu/ (BEACON_URL declared at postinstall.js:15; HTTPS request constructed at line 31; POST issued at line 33; payload assembled at lines 58-66). The fetch fires automatically with no opt-in, and errors are silently swallowed so installers see no indication of the outbound beacon. The behavior is unrelated to any documented package purpose and matches a classic install-time phone-home exfiltration pattern. The package's own metadata declares it to be a scanner test fixture; the executed code, however, is functional exfiltration that runs against any machine that installs it.\n","modified":"2026-06-17T06:02:01.733115813Z","published":"2026-06-17T04:24:09Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T04:24:09Z","versions":["1.0.0"],"import_time":"2026-06-17T05:45:42.228220723Z","id":"IN-MAL-2026-006885","source":"amazon-inspector","sha256":"a572fd7ffa39ecc1ba62c71d1dfe31722bfbe0c4118b7ab8400c1d5f4a61ba0f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/canary-ci-test/v/1.0.0"}],"affected":[{"package":{"name":"canary-ci-test","ecosystem":"npm","purl":"pkg:npm/canary-ci-test"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"canary-ci-test-1.0.0.tgz","hashes":{"sha1":"3107caf4128ea5e046566f3b9896c76a64cb0742","sha512_sri":"sha512-+e0eSadcAu4J3lb0wTwkr6JIY4hGheOj+mBI5jQVZau2i0T9o44q72eepT3ljRmo61H5qaTUcEhLWdcU3zhodA=="}}],"evidence_files":[{"path":"postinstall.js","tlsh":"0a41845a54f2b27916f3faa8950b24091263e11b7d08aca4f28c02900f4f7ac11f26ee","sha256":"340b2faf0f0b89b9a7e2c3715bd154c20d6cf73c082017d83a2d27644af21f31"},{"path":"package.json","tlsh":"66e02b148ea0967b34c48bad1a63805a6a26493a1244586463c79498565677708bf34f","sha256":"79787e156405d51285006f4bee73e22e8e1851f494ceae0290cd7c9c5b4fca3c"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/canary-ci-test/MAL-2026-5972.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}