{"id":"MAL-2026-6348","summary":"Malicious code in buffer-wrap-67d7 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3)\nThe package declares a postinstall hook (`\"postinstall\": \"node run.js\"`) that executes run.js automatically on `npm install`. run.js imports `os`, `fs`, `http`, `https`, and `child_process`, and collects host and user identity signals including `os.hostname()`, `os.userInfo()`, `os.platform()`, `process.env.USER`, and `process.cwd()`, alongside filesystem reads (`fs.existsSync`, `fs.readFileSync`). Collected data is base64-encoded (`Buffer.from(...).toString('base64')`) and POSTed out via http/https calls (multiple POST sites at run.js lines 131, 339, 346). The composition — automatic lifecycle trigger, system/user reconnaissance, base64 packaging, and outbound POSTs — is the canonical install-time exfiltration shape and produces direct attacker benefit (host fingerprinting and credential-adjacent data leaving the installer's machine).\n","modified":"2026-06-23T22:46:24.143443728Z","published":"2026-06-23T21:40:45Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007373","versions":["1.0.0"],"sha256":"a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3","import_time":"2026-06-23T22:31:27.205348986Z","modified_time":"2026-06-23T21:40:45Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/buffer-wrap-67d7/v/1.0.0"}],"affected":[{"package":{"name":"buffer-wrap-67d7","ecosystem":"npm","purl":"pkg:npm/buffer-wrap-67d7"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"buffer-wrap-67d7-1.0.0.tgz","hashes":{"sha1":"1d8f972ca15a011bae9725fde2add474c4ef1754","sha512_sri":"sha512-KDS5CTbDRdW1vbafOVx/vdrLaoi/rBfMW39A6gnR2Xtz4ggh7lJsMYY8Ecqfga6J1p2mFBF6iVlKSS3/E1oLfQ=="}}],"evidence_files":[{"sha256":"4d99b243a066f8b6797c51600415608ce7df061dcbdd743d01addfea8df6b4f6","tlsh":"cae068189c303a3339d02aa91c62926ba7308f0f20543d2c52b72929429bb7ab47b14d","path":"package.json"},{"path":"run.js","tlsh":"0382e67219f7462479a3eaade65fa4006523f1077a51eda0f28c73610fcf568c172af8","sha256":"45b7cdbc6e1e29b849d9cf8941adc62b6c3b18e21b4a7fb9216a62b3c7730087"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-wrap-67d7/MAL-2026-6348.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}