{"id":"MAL-2026-6490","summary":"Malicious code in data-parser-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8)\nindex.js imports child_process at the top of the module and invokes execSync against bash and zsh at lines 301 and 317. The shape — require('child_process') at module top with execSync('bash...') and execSync('zsh...') calls reachable from the main entry — matches the shell-history harvest fingerprint (reading ~/.bash_history / ~/.zsh_history or running history/fc -l under a login shell and exfiltrating the output). Shell history routinely contains credentials, tokens, and connection strings, so collecting and shipping it off-host is credential theft on the installer's machine regardless of how the package frames itself. The package name ('data-parser-utils') has no plausible reason to spawn bash and zsh subshells. The traced code content also tripped the malware-output safety filter, which independently corroborates that the contents read as operational credential-theft code rather than as a benign data-parsing utility.\n","modified":"2026-06-26T01:16:24.838397810Z","published":"2026-06-26T00:34:38Z","database_specific":{"malicious-packages-origins":[{"sha256":"2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8","id":"IN-MAL-2026-007574","import_time":"2026-06-26T00:59:25.88238589Z","versions":["3.0.2"],"modified_time":"2026-06-26T00:34:38Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/data-parser-utils/v/3.0.2"}],"affected":[{"package":{"name":"data-parser-utils","ecosystem":"npm","purl":"pkg:npm/data-parser-utils"},"versions":["3.0.2"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-I8tEhgtMrMev8ZI1tzf281tsvk+c2a/FUHkqmHn5KLoqth3dXj0tEGIzNh0O3m2h+O2Y8sk7b/0+KTAa9kETzQ==","sha1":"a9e315f9218ae19316043eab67afbc4d711f6134"},"filename":"data-parser-utils-3.0.2.tgz"}],"evidence_files":[{"sha256":"dcd2c5bc4f5ed2ff05a9dc2350eabea2a10fa3178f7e3790681db7958f192006","path":"index.js","tlsh":"a272a89a15f7213242e373f8555f100a76a9c043360ade8977dc87582f9e528a2f6fec"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-parser-utils/MAL-2026-6490.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}