{"id":"MAL-2026-6302","summary":"Malicious code in hashd-edu (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454)\nThe package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALL_DAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned `command` field into child_process.exec(), POSTing stdout/stderr back to /results. index.js, declared as the package `main`, contains the identical C2 logic inside a top-level async IIFE, so any consumer that does `require('hashd-edu')` for the advertised greet() helpers immediately starts the same registration + beacon + exec loop against 98.86.244.177:8080. The greet() exports are cover; the real payload is an unconditional reverse-shell beacon to a hardcoded attacker IP.\n","modified":"2026-06-23T15:46:42.406568811Z","published":"2026-06-23T15:24:26Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-23T15:24:26Z","versions":["1.0.5"],"source":"amazon-inspector","sha256":"0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454","import_time":"2026-06-23T15:33:53.258068288Z","id":"IN-MAL-2026-007234"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hashd-edu/v/1.0.5"}],"affected":[{"package":{"name":"hashd-edu","ecosystem":"npm","purl":"pkg:npm/hashd-edu"},"versions":["1.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hashd-edu/MAL-2026-6302.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"hashd-edu-1.0.5.tgz","hashes":{"sha512_sri":"sha512-yTtbriERx9ZxXszdPAW+BCsd6liSAuLqh43bpT/ozBwdq51Cc/5lCswivmKM+Jnz/aiuocpIzg+hhPVqgXoimQ==","sha1":"95518fe603976cf9393dc8bf43ac71961e550fa8"}}],"evidence_files":[{"path":"postinstall.js","sha256":"49a9c93c2ca5c224c4f51876a8c4a069c58066446da97b3cbc5f6bcc903a4f28","tlsh":"5541fe8628fa6a3892b3a6c996779422711390173507ddb1ba4c01601fd732dd4a76ee"},{"path":"index.js","sha256":"8405faa61cc98e1718bc0b9dd16f7b2c48dbd0f7ac36b25e31b0081d488cfe6d","tlsh":"3841f14654f3b53587e3eaa8f66be4067223d1133107cea1b84c42606fd363c54e1be9"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}