{"id":"MAL-2026-5984","summary":"Malicious code in nepublisher (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9fc0d0609f88630f7ce36adf18c70a1d6bd3d64aaaa059a3b8ec9b97b813705a)\nOn `npm install`, lib/_init.js spawns a detached Node child process that collects host identifiers (hostname, username, cwd, IPv4 addresses, Node version, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS-POSTs the data to a hardcoded DingTalk robot webhook (oapi.dingtalk.com/robot/send) with a Chinese title meaning 'someone came online'. The script also contains explicit sandbox-evasion logic at lib/_init.js:9-12 that no-ops when the username or hostname contains 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', or 'sample' — a clear intent signal designed to hide the beacon from automated analyzers. The collected fields plus the CI/registry-focused env-name filter are the canonical dependency-confusion reconnaissance pattern: identify which organizations have pulled the package by mistake and harvest target intel for follow-on internal-package attacks.\n","modified":"2026-06-17T06:02:04.306405827Z","published":"2026-06-17T04:23:28Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"9fc0d0609f88630f7ce36adf18c70a1d6bd3d64aaaa059a3b8ec9b97b813705a","import_time":"2026-06-17T05:45:42.188653548Z","versions":["0.4.0"],"modified_time":"2026-06-17T04:23:28Z","id":"IN-MAL-2026-006884"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nepublisher/v/0.4.0"}],"affected":[{"package":{"name":"nepublisher","ecosystem":"npm","purl":"pkg:npm/nepublisher"},"versions":["0.4.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"nepublisher-0.4.0.tgz","hashes":{"sha512_sri":"sha512-5ghcPxkKlnNPYpj+WD9GHxXbBOemLC5v0eXv96R1VXPyxXwDk16AWS/6tFaUm9YQ1hfeEHRpj1fjzYMskStWAw==","sha1":"75341a009e58b257a1c068c3819633d6ccb1b842"}}],"evidence_files":[{"tlsh":"f141b5e675a57638177c85c290821016da57e2223583f8e0fc2c41d61bc78fa9af293e","path":"lib/_init.js","sha256":"4dce624e18ed06db3f4d3778d19bb8fda6bb70b9bb3a835031fdc3e36478f164"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nepublisher/MAL-2026-5984.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}