{"id":"MAL-2026-6196","summary":"Malicious code in build-tracker-n5p1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619)\nPackage name suggests build telemetry tooling, but the tarball ships beacon scripts (beacon18.js, beacon_linux.js) wired to a postinstall lifecycle hook (\"postinstall\": \"node run.js\" in package.json line 9). On install, these scripts collect host identifiers via os.hostname()/os.platform() and child_process, then issue outbound HTTP GET/POST requests via http.request from the installer's machine. This combination — auto-execute on install, host fingerprinting, and outbound HTTP exfiltration — is a classic install-time host beacon / data-exfiltration pattern. There is no legitimate build-tracking reason to fingerprint the host and beacon out at install time without consent or configuration.\n","modified":"2026-06-19T07:31:48.590382414Z","published":"2026-06-19T06:48:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-19T06:48:23Z","versions":["1.0.0"],"sha256":"e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619","import_time":"2026-06-19T07:17:17.04916041Z","id":"IN-MAL-2026-007063","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/build-tracker-n5p1/v/1.0.0"}],"affected":[{"package":{"name":"build-tracker-n5p1","ecosystem":"npm","purl":"pkg:npm/build-tracker-n5p1"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/build-tracker-n5p1/MAL-2026-6196.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"build-tracker-n5p1-1.0.0.tgz","hashes":{"sha512_sri":"sha512-1ewZPwcvfuPSDb8az9ZKsf+vSdigoiqsz3974zJjSc1wTeduiB0PqmI1KkATaKSS0NMfUF29ZNh5X46lqAZs3Q==","sha1":"90d56afa52e250803cff05b1068d20f8a7814072"}}],"evidence_files":[{"path":"beacon18.js","sha256":"9c82a9ea5aeb13cc266d5054ddf5c44f87eb909bd09124e0b370aac445c9010f","tlsh":"b112b431e4215c247592d5ad8a0b94293137b3133a62fea0bb8e748c2fce15e82765fd"},{"path":"beacon_linux.js","sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68","tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"},{"path":"package.json","sha256":"3161b3929d5a1c917c8d288f302c6f0dbb7af784f83c13024a5cee04f1e3789d","tlsh":"fdf08b54983039336ac02ad80ca2494af6304f0b61947d5d427b192842dee3a70bf11e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}