{"id":"MAL-2026-6079","summary":"Malicious code in set-proto-chain (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633)\nlib/index.js contains a base64-encoded URL (decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host) that is fetched via axios.get; the response's `.data.cookie` field is then written to the stdin of a detached `node` child process for execution. The top-level index.js calls getThetaInterface() unconditionally, and package.json declares `postinstall: node index.js`, so the fetch-and-execute path fires automatically on `npm install` as well as on require(). The fetched payload is attacker-controlled and can change at any time. The package additionally impersonates the legitimate `proto-chain` package (README header `# proto-chain`, runtime error messages referencing `require('proto-chain')`), making accidental installs more likely.\n","modified":"2026-06-17T22:01:48.792756558Z","published":"2026-06-17T21:38:59Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T21:38:59Z","versions":["1.0.3"],"source":"amazon-inspector","id":"IN-MAL-2026-006943","import_time":"2026-06-17T21:42:18.106575788Z","sha256":"bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/set-proto-chain/v/1.0.3"}],"affected":[{"package":{"name":"set-proto-chain","ecosystem":"npm","purl":"pkg:npm/set-proto-chain"},"versions":["1.0.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-proto-chain/MAL-2026-6079.json","indicators":{"package_integrity":[{"filename":"set-proto-chain-1.0.3.tgz","hashes":{"sha1":"cc8af25f10faa1ecdd3bd6e4d22164b63e361e7e","sha512_sri":"sha512-WFO6/fFWU5IiKgDwkGONGAKSeUtksNNXWJcqoc+yCPksqQXvztZoHwxDVZf5UhKyW1a56N2cecJJEZQi2inqAg=="}}],"evidence_files":[{"path":"lib/index.js","sha256":"72a8a52cbb98921b689173423a2970d414fd2c32e3a5aea47db7be9550024a10","tlsh":"46f0275b317b63781f700de0d53289364d43d020f582d1e4648e80579a8b647044aeec"},{"path":"package.json","sha256":"ce924b408f4f3fc6200295dc9c5a8083a6bf5802872cb8cf7c495d1d1b9ee6d5","tlsh":"0d21bb21e4e2aca307e5526a3c2e52573191d917898bfc0cb3aa034c8f5c63b92f825d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}