{"id":"MAL-2026-6502","summary":"Malicious code in js-client-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2)\npackage.json declares a postinstall hook (`node dist/postinstall.js`) that runs automatically on `npm install`. The hook invokes `prices()` in dist/index.js, which resolves the installer's project root via `process.env.INIT_CWD?? process.cwd()`, locates `.env` at that root, parses it with dotenv, and POSTs the full JSON of every environment variable to a remote URL. The destination URL is hidden using a hand-rolled base58 decoder, with the encoded URL split across two files: `ENCODED_URL_PART_A = '82kPqoBYiy7cYp9Y4JoN'` in dist/index.js and `ENCODED_URL_PART_B = 'ZWfGP1a9afkaPxYp37FZgsTX'` in dist/cli.js, concatenated and decoded at runtime. Errors are silently swallowed so `npm install` shows no warning. The package's identity is a deliberate decoy: package.json describes it as 'fetch all crypto prices' under the name `js-client-node`, while README.md is copy-pasted verbatim from @types/node. Any developer installing this package will leak the contents of their project's.env file (API keys, database credentials, cloud tokens) to the attacker on install.\n","modified":"2026-06-26T05:01:37.130590692Z","published":"2026-06-26T04:07:22Z","database_specific":{"malicious-packages-origins":[{"versions":["1.4.0"],"sha256":"341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2","import_time":"2026-06-26T04:57:28.903991166Z","source":"amazon-inspector","id":"IN-MAL-2026-007588","modified_time":"2026-06-26T04:07:22Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/js-client-node/v/1.4.0"}],"affected":[{"package":{"name":"js-client-node","ecosystem":"npm","purl":"pkg:npm/js-client-node"},"versions":["1.4.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-client-node/MAL-2026-6502.json","indicators":{"evidence_files":[{"path":"dist/index.js","sha256":"b8ab49918d9b5cc2f48e1e4f56a9323b34a69d8354e279863f61ea303d2b3bb3","tlsh":"4d9184162df3a7230a9367989317801a6fbc97173504e888b55ed3947f8901ca5a7bb4"},{"path":"README.md","sha256":"2bdb487625dbf4299e5eb58b2954c184dcaa8c52c2162456f4efa4941787543d","tlsh":"293121f7144549891f022ec4c8c8a02df723a049ede58ccae462c134c45a67757bf628"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-oVxWkesEzCZovcv4n0q3A2nviO/HGQS84lVnQZUSX00aZwu2+3bO/4LETYJ97Nebcynd8F/Vw0VYftb2YQf6kg==","sha1":"3ebaf8a7f5d731d5edfbb463cdb8ca1fb3c41b7d"},"filename":"js-client-node-1.4.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}