{"id":"MAL-2026-6091","summary":"Malicious code in datacamp-light (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c)\nPackage impersonates the DataCamp brand while shipping near-empty stub exports (index.js `init`/`helper` return trivial constants). The postinstall lifecycle hook (`node install.js`) runs on every `npm install` and collects the installer's hostname, OS username, home directory, platform, current working directory, and timestamp, then POSTs them over HTTPS to `dc.iam.c.noratomo.asia/install` with TLS certificate verification disabled (`rejectUnauthorized: false`). The destination domain has no relationship to datacamp.com. The combination of brand-impersonating name, hollow library functionality, lifecycle-triggered outbound beacon to an unrelated domain, identifying-host fields, and disabled TLS verification is a supply-chain reconnaissance implant against developers who install this expecting DataCamp tooling.\n","modified":"2026-06-18T05:46:39.585533064Z","published":"2026-06-18T03:55:18Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"id":"IN-MAL-2026-006961","sha256":"4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c","source":"amazon-inspector","import_time":"2026-06-18T05:42:04.473269773Z","modified_time":"2026-06-18T03:55:18Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/datacamp-light/v/1.0.0"}],"affected":[{"package":{"name":"datacamp-light","ecosystem":"npm","purl":"pkg:npm/datacamp-light"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datacamp-light/MAL-2026-6091.json","indicators":{"evidence_files":[{"sha256":"3c45f85bae5b016c2d076c42d30a861aff63ea96f27e565882ec790c1e3d5f12","path":"install.js","tlsh":"4df0c9f8d3b29bb02aba92c07047c416c622f120b51bb8f0addd4180634a5a410b2cf2"},{"sha256":"3c2ce749c590c913140880bc16fa593edda2329677d2f319723144bd7a1a692f","path":"package.json","tlsh":"67f0552819228d3352d55f97284a800225b19d131480788c2f9b926c579e3be68ff32d"}],"package_integrity":[{"filename":"datacamp-light-1.0.0.tgz","hashes":{"sha1":"013dbb6a3fdbc59bcf3bc3a9e078f0ee037219cf","sha512_sri":"sha512-TCPYRb8nqFtwFTP2uGzrDd9f0VLa4JxxyuHXRc2uOaIlWmdvFou08eH4EAa60P8H6dv6Ld7bqgT5vYV3c9lR/w=="}}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}