{"id":"MAL-2026-6098","summary":"Malicious code in stackus (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456)\nOn require(), lib/writer.js (loaded transitively from the package's main pino.js) collects the installer's full process.env together with host identifiers (os.hostname, os.userInfo().username, os.platform(), and external MAC addresses) into a `data` object, then performs an unconditional axios GET to https://www.jsonkeeper.com/b/MYUKZ and passes the response body through eval(). A second hex-obfuscated jsonkeeper.com URL (https://www.jsonkeeper.com/b/HY6M6) is also staged in the same file. jsonkeeper.com is an anonymous, user-editable JSON paste host, so the eval'd payload is mutable attacker-controlled content with closure access to the staged environment dump — a complete credential-exfiltration + remote-code-execution channel that fires on every consumer that imports the package. The package masquerades as the pino logger: it declares main=pino.js, homepage=https://getpino.io, replicates pino's writer/proto/levels/transport API surface, and ships pino-branded images, while the package name 'stackus' is unrelated to pino.\n","modified":"2026-06-18T05:46:38.903192069Z","published":"2026-06-18T04:09:20Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006976","source":"amazon-inspector","import_time":"2026-06-18T05:42:06.381043496Z","modified_time":"2026-06-18T04:09:20Z","sha256":"0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456","versions":["1.0.6"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/stackus/v/1.0.6"}],"affected":[{"package":{"name":"stackus","ecosystem":"npm","purl":"pkg:npm/stackus"},"versions":["1.0.6"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"stackus-1.0.6.tgz","hashes":{"sha1":"318af0159d1c7707e532ff24961d745574f2ab48","sha512_sri":"sha512-CveWbGxKlyZO7Veaccxzlh6MaR763pSNRnReMwodxptacTBlTRU0hr1mmU30mXL5Z1c4lhWh+aN0iHC0Api4nw=="}}],"evidence_files":[{"path":"lib/writer.js","tlsh":"781120a2c392a414223017f248db4820bee5f35120d3418cbebc8ada2bf39e17154fa8","sha256":"b6d314d7ec721484bb7a6d72c9dc580e8b9e9d53ca459480f98a20366b823c7d"},{"path":"package.json","tlsh":"7f01bd24ce388d6304e8289148a90287a6609c575c1cbd2c73c7232c1f4d57f15ba12e","sha256":"dc7cdf9baf1f4001603a7659b60d6766d493b6108d4654aabbe7e601940ea4c0"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stackus/MAL-2026-6098.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}