{"id":"MAL-2026-5990","summary":"Malicious code in pkg-telemetry-r4f9 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e)\nOn install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine child_process, os, and http modules to collect host identifiers and send them to a remote endpoint. beacon_linux.js reads os.hostname() and os.platform() and issues an http.request POST carrying that data to a hardcoded host. beacon17.js similarly imports child_process and performs outbound HTTP GETs. The package name (\"pkg-telemetry-r4f9\" with a random-looking suffix) and its install-time-only behavior are inconsistent with any legitimate library purpose. Installing this package causes automatic, unconsented exfiltration of installer host metadata and provides a remote-execution surface via child_process.\n","modified":"2026-06-17T06:02:05.044360752Z","published":"2026-06-17T04:42:06Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-17T04:42:06Z","id":"IN-MAL-2026-006900","versions":["1.0.0"],"sha256":"decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e","import_time":"2026-06-17T05:45:43.258644597Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pkg-telemetry-r4f9/v/1.0.0"}],"affected":[{"package":{"name":"pkg-telemetry-r4f9","ecosystem":"npm","purl":"pkg:npm/pkg-telemetry-r4f9"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pkg-telemetry-r4f9/MAL-2026-5990.json","indicators":{"evidence_files":[{"tlsh":"f6220725b9605c306692e9688b4b94287537e3173a71fea0bbde11881fdd05ec2b18fd","path":"beacon17.js","sha256":"14bcafbb9a20038cbb57a72837cb4c4ef2d841739ae4bca23a9784ef6c4a71c2"},{"tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded","path":"beacon_linux.js","sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68"},{"tlsh":"d9f08b249c2068236ac02ee90c62594eeb708f0b11547a6e827b192801dee3935be14d","path":"package.json","sha256":"9de736d505061498fa1113abb763cdb1b3802c8b47c523dc64d2228ffa7e0d4f"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-iTRxnWCbtV4C0Ipi9vkgIOQVcQao2wBMqvtF3GtqiB43h0FCv2VepKgp6fojY0ky+vjbUpZGaXZcFEdeT4gaXg==","sha1":"0dc346a212c3dd335b6ce0463c80986291547617"},"filename":"pkg-telemetry-r4f9-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}