{"id":"MAL-2026-6239","summary":"Malicious code in atlasora-config (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092)\nThe package declares a postinstall hook in package.json (\"postinstall\": \"node install.js\") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.\n","modified":"2026-06-20T13:46:43.307234321Z","published":"2026-06-20T13:10:08Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007100","sha256":"f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092","import_time":"2026-06-20T13:37:51.60885376Z","modified_time":"2026-06-20T13:10:08Z","versions":["1.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/atlasora-config/v/1.0.0"}],"affected":[{"package":{"name":"atlasora-config","ecosystem":"npm","purl":"pkg:npm/atlasora-config"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"atlasora-config-1.0.0.tgz","hashes":{"sha1":"6b8f98a8959ab2947fa6188999f9d2b7c17b897a","sha512_sri":"sha512-ErMNtFOTG1lWfJv2GmoMcPABREmovtWRERUTchHb/GK8VZc45f4xTJlmvVupKCLtMtO8leRi6lkLJuSye8JEfQ=="}}],"evidence_files":[{"tlsh":"887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff","sha256":"5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88","path":"install.js"},{"tlsh":"bfe02b306a20cc335ad466694d62500679314f4bc4486c1d37d73028978e77609bea1d","sha256":"45d3280c7ac0a0eb1c04adee2481176cf99f5baf78299a5d50fec2da2629aa05","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-config/MAL-2026-6239.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}