{"id":"MAL-2026-6377","summary":"Malicious code in linux-ci-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01)\nOn require(), index.js performs a Linux platform check, then decodes a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and HTTPS-downloads an opaque binary into a hidden staging path (~/.local/share/.node_cache/.runtime), chmods 0755, drops a.lock sentinel, and spawns the binary detached with stdio ignored. There is no hash or signature verification, the URL is mutable and not version-pinned, and the host (api.ingress-hub.com) is unrelated to the package's stated purpose ('CI utilities'). Identifiers are single-letter underscore-prefixed (_D,_N,_P,_F,_U,_A,_init,_run) and the destination URL is base64-hidden — obfuscation consistent with evading casual review and registry scanners rather than minification. The package's published name (linux-ci-utils) does not match its README (which advertises 'node-ci-utils'), consistent with masquerading as a plausible utility to entice installs. Any project that requires this package executes attacker-controlled bytes on Linux hosts at import time.\n","modified":"2026-06-24T08:01:23.544300675Z","published":"2026-06-24T07:21:25Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-24T07:47:32.448642183Z","modified_time":"2026-06-24T07:21:25Z","sha256":"8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-007430"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/linux-ci-utils/v/1.0.0"}],"affected":[{"package":{"name":"linux-ci-utils","ecosystem":"npm","purl":"pkg:npm/linux-ci-utils"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","sha256":"d671eb82e7b274c846d0cd282a1ee0d7387a421f5c6a6214490a53aa9caffdcb","tlsh":"6141edd60ff37230467360dd4a9b95297253c5537546d6c8fe4c0188af8212882b6efc"},{"path":"package.json","sha256":"a48f5d2107f508e7d89b515ad90e77fc1eb6086f3758cdfea60f97de58167130","tlsh":"9be02b248930e5332ac516912d29814ff5b14f5b0144bc1c17d7817c83de7b659ff96a"}],"package_integrity":[{"hashes":{"sha1":"86a0c279f4090b8d1cae48f6a69237e669f63523","sha512_sri":"sha512-42w3fPcPyC2ttwk7T5UPXbLH458nTNfPVY2B5Fuue6j/4EppNcg6zbtXv4Hem9u2VgCfxFQopaDvwcT/RPC56A=="},"filename":"linux-ci-utils-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/linux-ci-utils/MAL-2026-6377.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}