{"id":"MAL-2026-6099","summary":"Malicious code in stream-read-35cf (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e)\nPackage declares a postinstall hook (\"postinstall\": \"node run.js\") that auto-executes run.js on `npm install`. run.js imports os, fs, http, https, and child_process and collects host identifiers (os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd()), reads files via fs.readFileSync / fs.existsSync, base64-encodes data via Buffer.from(...).toString('base64'), and POSTs the results to remote endpoints over http/https (multiple POST call sites at lines 135, 138, 347, 354). The package name is a short random-suffixed identifier with no documented purpose, and the only effect of installing the package is the reconnaissance + exfiltration payload. This is the canonical install-time stealer shape.\n","modified":"2026-06-18T05:46:39.063960724Z","published":"2026-06-18T03:53:34Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006959","import_time":"2026-06-18T05:42:04.275159988Z","versions":["1.0.0"],"sha256":"0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e","source":"amazon-inspector","modified_time":"2026-06-18T03:53:34Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/stream-read-35cf/v/1.0.0"}],"affected":[{"package":{"name":"stream-read-35cf","ecosystem":"npm","purl":"pkg:npm/stream-read-35cf"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"f1164377336c959d2706dd84b31300cf2fbd789b67d989081b11bd4bc404e3a6","tlsh":"46e06818cc24393339d42ae80ca29297a7708f0b60147d2c52bb692c82abb3a757b10d","path":"package.json"},{"sha256":"c4fe86d76ca58a8179a87cf2385422debb3c507410557c7830d350fc33931ade","tlsh":"8a82f77219b7461479a3e6ade66fa4005033f1177a51eca0f28c73510fcf668d5b2af8","path":"run.js"}],"package_integrity":[{"filename":"stream-read-35cf-1.0.0.tgz","hashes":{"sha512_sri":"sha512-t4ZeZgC3TmIbA6YkbcN6NGUSuIfpy/FSGSdrLbEB4TI/uLXc0TGRUYbTEwZgW6TFycqVPpCdfHi5NcYJJnGqFw==","sha1":"797292c86a08cf311fdbef10dfcc7d266d4a45a2"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stream-read-35cf/MAL-2026-6099.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}