{"id":"MAL-2026-6085","summary":"Malicious code in @hotcappuccino/nodepull (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99)\n@hotcappuccino/nodepull@1.0.0 ships a single `index.js` (the package's declared `main`) that is wrapped in an obfuscator.io string-array + RC4-encrypted-string scheme. At top level — fires on every `require('@hotcappuccino/nodepull')` — the module loads `child_process`, `fs`, `os`, `path`, and an HTTP client; reconstructs a dotted URL through repeated `''.repeat(N,'.')` concatenations of RC4-decrypted fragments; performs `httpClient.get(URL + path)`; writes the response body to `path.join(os.tmpdir(), \u003cfilename\u003e)` via `fs.writeFileSync(..., {flag:'w+'})`; and immediately invokes `child_process.spawn(filePath, args, {windowsHide: true, cwd: os.tmpdir()})`. The 249-entry rotated string array is decoded by `b`/`c` using base64 + RC4 keyed by index 0, hiding the URL, spawned command, and required module names from inspection. There is no legitimate purpose served by RC4-encrypting every string (including module names) in a package whose only behavior is to fetch and execute a remote binary at import time. Any installer that requires this package executes attacker-controlled bytes from a hidden remote endpoint as a child process with the console window suppressed.\n","modified":"2026-06-17T22:46:52.278438187Z","published":"2026-06-17T21:52:46Z","database_specific":{"malicious-packages-origins":[{"sha256":"42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99","id":"IN-MAL-2026-006949","import_time":"2026-06-17T22:38:21.580532972Z","source":"amazon-inspector","modified_time":"2026-06-17T21:52:46Z","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@hotcappuccino/nodepull/v/1.0.0"}],"affected":[{"package":{"name":"@hotcappuccino/nodepull","ecosystem":"npm","purl":"pkg:npm/%40hotcappuccino%2Fnodepull"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"862d8d193ef2863437bd2214624b63b395413facdc0509338ee664f7f33a7218","tlsh":"5292b6cc3bc1b0b45373f07b7e1aa0a2f16a5c8db2998444f796f498f968314d1b6b58","path":"index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-8Vah9+Gyl9qmwOSzyz1m22PsAPm+3eEER3N+AQdrKLc2gPAnkBZBrdxhPiWm4iVgIgF2DqXH6SqUJEhfnTxmFw==","sha1":"6f1f32f8873905f3605441e8ca426bdf1443a072"},"filename":"nodepull-1.0.0.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hotcappuccino/nodepull/MAL-2026-6085.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}