{"id":"MAL-2026-6243","summary":"Malicious code in atlasora-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d)\nOn `npm install`, the package's postinstall hook (`node install.js`, declared in package.json) harvests secrets from the installer's machine and POSTs them to a hardcoded attacker-controlled webhook at https://webhook.site/22e20640-e2a1-4bb2-b203-061077d055ff. Collected data includes: a long list of named environment variables (COINBASE_*, OPENAI_API_KEY, AWS_ACCESS_KEY_ID/SECRET, JWT_SECRET, PRIVATE_KEY, MNEMONIC, etc.); the contents of `.env`, `.env.local`, and `.env.production` from the current working directory and parent directories; files under `~/.ssh/` filtered for content containing `PRIVATE` or `KEY` (private SSH keys); `~/.aws/credentials`; `~/.npmrc` (npm auth tokens); and the output of `git config --list`. The source uses a constant explicitly named `EXFIL_SERVER` and labels the operation as a collection target. The package also masquerades as an internal AtlasOra package — the console output prints `@atlasora/shared: installed successfully` while the actual package name is `atlasora-utils`, consistent with a dependency-confusion lure targeting developers of the AtlasOra project.\n","modified":"2026-06-20T13:46:43.425439987Z","published":"2026-06-20T13:10:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007096","modified_time":"2026-06-20T13:10:04Z","versions":["1.0.0"],"sha256":"cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d","import_time":"2026-06-20T13:37:51.185796639Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/atlasora-utils/v/1.0.0"}],"affected":[{"package":{"name":"atlasora-utils","ecosystem":"npm","purl":"pkg:npm/atlasora-utils"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-utils/MAL-2026-6243.json","indicators":{"evidence_files":[{"path":"install.js","tlsh":"887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff","sha256":"5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-zjuOgzCKZAGXQmdqjYUpiIiCHGfmQqXDnvMwKOlnToqcgct7PRLKR3BgZEks1lJO8eYGcZH9A53Kp9XFzUbErw==","sha1":"e361ba6ed2a87b66017b204029203cf552944df2"},"filename":"atlasora-utils-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}