{"id":"MAL-2026-6067","summary":"Malicious code in scan-only (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4)\nThe CLI binary at bin/scan-only.js, when invoked (e.g., via `npx scan-only --diagnose`), harvests installer-side secrets and ships them to a hardcoded attacker endpoint, then fetches and executes attacker-controlled shell commands. Specifically, the binary reads ~/.gitconfig, ~/.ssh, ~/.npmrc (npm token), ~/.aws/credentials, ~/.docker/config.json, ~/.bash_history, ~/.zsh_history, the full process.env, os.userInfo(), and network interfaces, packages them into a `recon` object, and POSTs them to https://sentry.citadel-casino.com/collect with a hardcoded `x-api-key` header and user-agent `citadel-diagnose/0.2.0`. It also fetches https://sentry.citadel-casino.com/decoy, runs a `refineText()` routine that extracts a hidden command via an acrostic of first letters terminated by `endofpayload`, unescapes tokens like `sbslash` to `\\`, and passes the result to execSync via `/bin/sh` on Unix or `powershell -EncodedCommand` on Windows — giving the operator of sentry.citadel-casino.com arbitrary code execution on the host running the CLI. The exfiltration output is masked by fake `Sentry Diagnostic Tools v1.2.0` console banners, and the Sentry-lookalike subdomain on citadel-casino.com is brand-impersonation cover. package.json's generic `Diagnostic tool` description and `scan-only` bin name disguise the binary's true `citadel-diagnose` identity. Harm fires the moment a developer or CI system runs the CLI.\n","modified":"2026-06-17T20:01:51.903742695Z","published":"2026-06-17T17:04:07Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T17:04:10Z","source":"amazon-inspector","id":"IN-MAL-2026-006907","versions":["0.4.2"],"sha256":"117c86ce8a46816d63f57e4c6f2015c70c92480428c4436f78b492bfaa5cb2c3","import_time":"2026-06-17T17:32:18.891967002Z"},{"modified_time":"2026-06-17T17:04:14Z","source":"amazon-inspector","id":"IN-MAL-2026-006911","sha256":"7b940e23f31bc48db5cf3c87a8e9fa1b746505e326521105619dfe12f883da4b","versions":["0.4.3"],"import_time":"2026-06-17T17:32:19.526071358Z"},{"modified_time":"2026-06-17T17:04:13Z","source":"amazon-inspector","id":"IN-MAL-2026-006910","versions":["0.2.0"],"sha256":"aa03231f11911a8cb8561add13ed2cf6a705021ea2f5b8f6e949a99796cd7cb4","import_time":"2026-06-17T17:32:19.396413515Z"},{"modified_time":"2026-06-17T17:04:11Z","source":"amazon-inspector","id":"IN-MAL-2026-006908","sha256":"b523ee98635b5214fba801ee136ec0548d4e16c132516d087c788bce841658e0","versions":["0.4.1"],"import_time":"2026-06-17T17:32:19.0702368Z"},{"modified_time":"2026-06-17T17:04:17Z","source":"amazon-inspector","id":"IN-MAL-2026-006912","versions":["0.4.0"],"sha256":"21ae3a240675015022a6f119cc0795f3904276a955f1bb5f653e883d778c3697","import_time":"2026-06-17T17:32:19.653325509Z"},{"modified_time":"2026-06-17T17:04:07Z","source":"amazon-inspector","id":"IN-MAL-2026-006906","sha256":"4efea3893451636daac8f951e74e6c36c3fb72b10defac3eadba6ef360913425","versions":["0.4.4"],"import_time":"2026-06-17T17:32:18.758196493Z"},{"modified_time":"2026-06-17T17:04:12Z","source":"amazon-inspector","id":"IN-MAL-2026-006909","sha256":"633fb5a8c3bbce8086e8c9e8853fa6a81f8b0d2a7645938be0a2fc32aa0be3af","versions":["0.3.0"],"import_time":"2026-06-17T17:32:19.240982956Z"},{"modified_time":"2026-06-17T18:12:09Z","source":"amazon-inspector","id":"IN-MAL-2026-006924","sha256":"02d12029193cf5c42cb47575070769fa2863a4bcfd87877ff5eadd84e3fcf005","versions":["0.5.0"],"import_time":"2026-06-17T18:56:07.528950461Z"},{"modified_time":"2026-06-17T18:12:01Z","import_time":"2026-06-17T18:56:07.29012233Z","id":"IN-MAL-2026-006922","sha256":"8f6d12c05f2ed743b7e67b06d43d3a696f581f6f2b65744fc721e36ef34f3901","versions":["0.4.9"],"source":"amazon-inspector"},{"modified_time":"2026-06-17T18:11:26Z","source":"amazon-inspector","id":"IN-MAL-2026-006920","versions":["0.4.5"],"sha256":"9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4","import_time":"2026-06-17T18:56:07.093300102Z"},{"modified_time":"2026-06-17T18:12:07Z","source":"amazon-inspector","id":"IN-MAL-2026-006923","versions":["0.4.8"],"sha256":"a2a62b541f49c4afa753b1eca36ea975a55b5acdc67a2afa657e35147a7c7169","import_time":"2026-06-17T18:56:07.381391084Z"},{"modified_time":"2026-06-17T18:11:29Z","import_time":"2026-06-17T18:56:07.18341298Z","id":"IN-MAL-2026-006921","versions":["0.4.6"],"sha256":"d71b7cd780060714d911a699eb3c6d843b772573e9de99380a9c9fc0130268cb","source":"amazon-inspector"},{"modified_time":"2026-06-17T18:11:25Z","import_time":"2026-06-17T18:56:06.953556919Z","id":"IN-MAL-2026-006919","versions":["0.4.7"],"sha256":"da16f6edd9f3f0a876381602ddcd89b2717f68fd8d4888101a313628c8676f01","source":"amazon-inspector"},{"modified_time":"2026-06-17T19:21:10Z","source":"amazon-inspector","id":"IN-MAL-2026-006932","sha256":"74f20dc79ebffd17c5af3ec0600301a0d201519da36e656163d6c9032db9d84a","versions":["1.0.0"],"import_time":"2026-06-17T19:45:56.810949319Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/0.4.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/scan-only/v/1.0.0"}],"affected":[{"package":{"name":"scan-only","ecosystem":"npm","purl":"pkg:npm/scan-only"},"versions":["0.4.2","0.4.3","0.2.0","0.4.1","0.4.0","0.4.4","0.3.0","0.5.0","0.4.9","0.4.5","0.4.8","0.4.6","0.4.7","1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"scan-only-0.4.2.tgz","hashes":{"sha512_sri":"sha512-v44G5m8NHZ0laA4Dk0oJTrDUMpv19B+v+vILNHX7Ahbq0L1Bb9pTnOaERhpvPP5GHDXzyDeagE0O0v/PXHfQsA==","sha1":"ec5d160391d9ea934e73941e3a44bee264dcc7c9"}}],"evidence_files":[{"tlsh":"4ca175aa01fd483417a7205d150f04a229477f036906fd997b2c579e6fd9a6cc0f339d","path":"bin/scan-only.js","sha256":"fd0b7ebeca51f16a3ea22859ffb571a31a25ff0153cbc5142853baf11def9ab5"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/scan-only/MAL-2026-6067.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}