{"id":"MAL-2026-5992","summary":"Malicious code in runtime-metrics-w7k2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9c2062a3f2564ced7261d9b8be8a49e11117bd74ffe3e92aad6029c471921e2d)\nPackage declares a postinstall hook (`\"postinstall\": \"node run.js\"`) that fires automatically on `npm install`. The tarball ships beacon scripts (`beacon18.js`, `beacon_linux.js`) that import `child_process`, `os`, and `http`, read host identifiers via `os.hostname()` / `os.platform()`, and issue outbound HTTP `GET`/`POST` requests carrying that data. The combination — automatic install-time execution, host enumeration, child_process reachability, and unsolicited outbound HTTP from an unknown low-reputation package named with a random suffix — matches a host-beacon / exfiltration shape with no legitimate library purpose. Installing this package on a developer or CI machine causes immediate disclosure of host metadata to an external endpoint and provides the publisher a foothold for follow-on commands.\n","modified":"2026-06-17T06:02:05.383195508Z","published":"2026-06-17T04:41:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006899","source":"amazon-inspector","modified_time":"2026-06-17T04:41:58Z","import_time":"2026-06-17T05:45:43.210206573Z","sha256":"9c2062a3f2564ced7261d9b8be8a49e11117bd74ffe3e92aad6029c471921e2d","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/runtime-metrics-w7k2/v/1.0.0"}],"affected":[{"package":{"name":"runtime-metrics-w7k2","ecosystem":"npm","purl":"pkg:npm/runtime-metrics-w7k2"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"e8bf3fc890bbb3c047cca830ab684902645a0d33","sha512_sri":"sha512-aa8e3LNjuadgZaBuAxX3r+AnJOH2a4VAQKKCNPPPCjyOS/N+dLm8rbBunGSgLs8keutcI/zz+ESydrsRlvuC1w=="},"filename":"runtime-metrics-w7k2-1.0.0.tgz"}],"evidence_files":[{"tlsh":"b112b431e4215c247592d5ad8a0b94293137b3133a62fea0bb8e748c2fce15e82765fd","path":"beacon18.js","sha256":"9c82a9ea5aeb13cc266d5054ddf5c44f87eb909bd09124e0b370aac445c9010f"},{"tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded","path":"beacon_linux.js","sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68"},{"tlsh":"33f0c048ac203c335ac03ed80da3598af6308f0b61547e5d8277192842def3a74bf15d","path":"package.json","sha256":"c12b616c047fdbeed5685f9e5d6f034d5d833bd5a1024a4ef97e2cd51b8dd0d6"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/runtime-metrics-w7k2/MAL-2026-5992.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}