{"id":"MAL-2026-5993","summary":"Malicious code in sheratan_test_p (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566)\nOn `npm install`, the package's postinstall.js executes `whoami` via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name `sheratan_test_p`, empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.\n","modified":"2026-06-17T06:02:05.511045133Z","published":"2026-06-17T04:20:05Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T04:20:05Z","versions":["1.0.0"],"sha256":"472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566","id":"IN-MAL-2026-006877","source":"amazon-inspector","import_time":"2026-06-17T05:45:41.767579872Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/sheratan_test_p/v/1.0.0"}],"affected":[{"package":{"name":"sheratan_test_p","ecosystem":"npm","purl":"pkg:npm/sheratan_test_p"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"4d1b634763fa4a255efa015a26989675ddc0f23b","sha512_sri":"sha512-rfLv2VrkpTah2GDy7hj6/cq/2VdloGPatHdvKt0mijXyEp5T42RrOY2DT0cQJBiv4hy3bOw7pJTwSLMQhkan7Q=="},"filename":"sheratan_test_p-1.0.0.tgz"}],"evidence_files":[{"sha256":"3b000e0e744ef8a80f1d503b690be975df0e2e6b75f6951cec18d57862e425ce","tlsh":"a501bd824da235555bf1d6a0f1129608fb83c63ba431c7637bfe02692fe98a00011fdc","path":"postinstall.js"},{"sha256":"01bf71070be153cf01fcdc752d647f418af4af775ab6c5fe8c1208f83ad59de2","tlsh":"b6d0a7254911523367b44aa55a234507b5218f1e15384c0f71bb141842d36b244aa71a","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_test_p/MAL-2026-5993.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}