{"id":"MAL-2026-6084","summary":"Malicious code in @array-util/nodepull (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b)\n@array-util/nodepull@1.1.1 ships a single 19 KB obfuscated index.js as its main entry. On require()/import, the IIFE silences process error handlers via process.on('uncaughtException',...) and process.on('unhandledRejection',...), builds a URL by chained string.replace() calls to reassemble dotted host/path tokens, loads os/fs/path/child_process plus an HTTP client, downloads a remote resource, writes the response body to path.join(os.tmpdir(), \u003cname\u003e) with flag 'w+', and executes the dropped file via child_process.exec with {windowsHide: true, cwd: process.cwd()}. The string array, decoder (custom-base64 + RC4 via function c(b,d)), and control-flow flattening (obfuscator.io output, ~814 transforms per webcrack) conceal the URL, dropped filename, and exec target so URL/IP pattern scanners cannot read them. Package metadata is hollow (empty description, empty author, ISC license, no documented API; README only shows an install line and a bare require()) — there is no legitimate functionality, only the dropper. Any developer or build system that installs and require()s this package fetches and executes attacker-controlled code under the installer's UID with errors silenced.\n","modified":"2026-06-17T22:46:52.182172082Z","published":"2026-06-17T21:49:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006946","import_time":"2026-06-17T22:38:21.248625933Z","versions":["1.1.1"],"source":"amazon-inspector","sha256":"bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b","modified_time":"2026-06-17T21:49:58Z"},{"id":"IN-MAL-2026-006947","import_time":"2026-06-17T22:38:21.377150016Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"c171d764fc1dd7e67c3a09b1092c94ae915786d3776a1246c916f153095a92cb","modified_time":"2026-06-17T21:50:00Z"},{"id":"IN-MAL-2026-006948","import_time":"2026-06-17T22:38:21.485714871Z","versions":["1.1.0"],"modified_time":"2026-06-17T21:50:01Z","sha256":"e5a36af206cdff9358c1d3357469fd896fb1607d2401b6f035aaaf35451babac","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@array-util/nodepull/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@array-util/nodepull/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@array-util/nodepull/v/1.1.0"}],"affected":[{"package":{"name":"@array-util/nodepull","ecosystem":"npm","purl":"pkg:npm/%40array-util%2Fnodepull"},"versions":["1.1.1","1.0.0","1.1.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-SbUz5aEQYG/a/oMO88Aic0Hsrnnmn3ZO3aW5U4JN7NQOog+Fj1slvi+dgIfgxsHJVmLj/SRuAZK/LonDjobZSA==","sha1":"d4c9a913a0bb2abdb124751dbaba2b82d8ac0a7e"},"filename":"nodepull-1.0.0.tgz"}],"evidence_files":[{"tlsh":"269297cc3bc1b0a05763b0bb7e1ba097e1b95c8d629d8849f796f454fc6c314d0a6b58","path":"index.js","sha256":"7b5b770d70e973acac39aaa3e095d699521472ed13cee94020accf76c12f6066"},{"tlsh":"3ed0a7345b62543305c501520c2d90577291cf1f0004380943cb2c3c95de6b3acfa35d","path":"package.json","sha256":"78cd536760bd3efc49deaa988e9a1748ab0831ddf1ef1f768effec38c5f1d353"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@array-util/nodepull/MAL-2026-6084.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}