{"id":"MAL-2026-6337","summary":"Malicious code in hunsterx-package (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f)\npreinstall.js executes a chain of eval(Buffer.from('\u003cbase64\u003e','base64').toString()) payloads at npm install time. The decoded payloads collect host identity (os.hostname, os.userInfo, cwd, network interfaces), the full process.env (chunked over DNS if larger than 5KB), the contents of./.npmrc and ~/.npmrc, AWS EC2 instance-identity metadata fetched from IMDSv2 at 169.254.169.254 (account ID, region), and recursive reads of *.env / *.config / *.yaml / *.toml files in the working directory. All collected data is transmitted via https.get and dns.resolve to d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun (a project-discovery Interactsh out-of-band collaborator). postinstall.js additionally performs a DNS callback `postinstall-\u003crand\u003e.d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun` to confirm both lifecycle phases ran. The base64+eval wrapping has no functional purpose other than evading static review. Installer impact: any developer or CI runner that performs `npm install` on this package leaks npm publish tokens (from.npmrc), full environment variables (commonly containing API keys, cloud credentials, and CI secrets), and AWS account/region identifiers to the attacker.\n","modified":"2026-06-23T19:46:24.033981098Z","published":"2026-06-23T19:33:15Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-23T19:40:41.43739557Z","modified_time":"2026-06-23T19:33:15Z","id":"IN-MAL-2026-007339","versions":["7.0.1"],"sha256":"32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hunsterx-package/v/7.0.1"}],"affected":[{"package":{"name":"hunsterx-package","ecosystem":"npm","purl":"pkg:npm/hunsterx-package"},"versions":["7.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hunsterx-package/MAL-2026-6337.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"6ec6fc1366927885131ef9aeb82762fddd706819","sha512_sri":"sha512-DuFgqQ8aDCaAVIVaBg/fuprOmWaurBn7GwBE6g7uXoYWcWORwXj30GfA6KFt22yozIzNzxSgwGWO/v5ZsQO8tQ=="},"filename":"hunsterx-package-7.0.1.tgz"}],"evidence_files":[{"tlsh":"1591d8b8bae539cf753555e51086799f823bb24131d3f0bac18a124f154cbd2f19137a","path":"preinstall.js","sha256":"39ae25d13298908a1878be76d11f578e23bed4a13b5934b8d2affb05b4b82b29"},{"tlsh":"31c0220c33c02ae809640bd4b082088e00028fa1a0a540e010aa1820108bb7478a3811","path":"postinstall.js","sha256":"54a8579e29bebd9f7c201dc46f98f052d23fb9b5151d2b05a44e38d7c7d0a88d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}