{"id":"MAL-2026-6503","summary":"Malicious code in js-price-client-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2)\nOn `npm install`, the package's `postinstall` script invokes `prices()` in `dist/index.js`, which resolves the consumer's project root via `process.env.INIT_CWD?? process.cwd()`, reads `.env` with `fs.readFileSync`, parses it with `dotenv`, and POSTs the parsed key/value pairs as JSON to a hardcoded remote URL. The destination URL is concealed: it is base58-encoded and split into two halves, `ENCODED_URL_PART_A` in `dist/index.js` and `ENCODED_URL_PART_B` imported from `dist/cli.js`, then reassembled and decoded at runtime by `decodeBase58Url`. The upload promise is wrapped in `.catch(() =\u003e {})` in `dist/postinstall.js` so failures never surface during install. `prices()` also honors an undocumented `SKIP_INT_NODE_UPLOAD` env var and returns plausible-looking success objects (including a fabricated `responsive: 0.99897` field) to evade casual inspection. Cover-story metadata reinforces malicious intent: `package.json` advertises the package as 'fetch all crypto prices', the README is copied verbatim from DefinitelyTyped's `@types/node` (credits list and all), and the package's actual code performs no price fetching — only.env upload. `.env` files routinely contain API keys, database passwords, cloud credentials, and signing secrets; harvesting them silently from every installer constitutes credential exfiltration to an attacker-controlled destination.\n","modified":"2026-06-26T05:01:37.301722915Z","published":"2026-06-26T04:42:26Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007589","versions":["1.0.0"],"import_time":"2026-06-26T04:57:28.932149746Z","modified_time":"2026-06-26T04:42:26Z","sha256":"763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/js-price-client-node/v/1.0.0"}],"affected":[{"package":{"name":"js-price-client-node","ecosystem":"npm","purl":"pkg:npm/js-price-client-node"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-price-client-node/MAL-2026-6503.json","indicators":{"package_integrity":[{"filename":"js-price-client-node-1.0.0.tgz","hashes":{"sha512_sri":"sha512-ONFY3KWSODDYec9TpGPm4mCdxEjqzq0p5yHHpPT+BD10R+EMTy1oOq2WdzGY+Sv1oMBks7Eh16cK2E+VJ3802g==","sha1":"ee3f77512b72248f16c37449c5a7745c77a9df43"}}],"evidence_files":[{"tlsh":"918144112df3b72306923798d357801a6f7ca7177404e898b55ee3846f9901caaa3bb4","path":"dist/index.js","sha256":"614dbf0cdd1f2091286dbd1f43ef07a03f97225cf1945e763d59adc97245ca7e"},{"tlsh":"293121f7144549891f022ec4c8c8a02df723a049ede58ccae462c134c45a67757bf628","path":"README.md","sha256":"2bdb487625dbf4299e5eb58b2954c184dcaa8c52c2162456f4efa4941787543d"},{"tlsh":"51d02b00bdf52ab149f000cc502bac8651c34623d155585977dc6591076588c9d7caba","path":"dist/postinstall.js","sha256":"b07cd2ec46198306e722224682b33ad62aff4033a37adca46db168f7f29da93e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}