{"id":"MAL-2026-6535","summary":"Malicious code in disksweep (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (31a2c10aba7f3468458529214868e2d8acd9717eb7985c47ab10cf4aed64f87c)\nThe package ships a 2.9 MB Windows PE32+ executable at bin/native/parser.node (sha256 b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3) that is not mentioned in the README or CHANGELOG. src/index.js (lines 30-34) contains a loader that resolves this file via __dirname and calls process.dlopen(module, p) inside a try/catch, which would load the binary as a native Node addon with full FFI access to the host process. The README explicitly claims 'Zero runtime dependencies… nothing to audit', directly contradicting the presence of an opaque attacker-supplied native binary. The current release is dormant on most installs because the package declares ESM ('type':'module') while the loader uses CJS-only globals (require, __dirname, module), so the dlopen call throws and is swallowed — but the binary is staged on disk and a one-line patch (switching to createRequire or fileURLToPath) flips it live for every installer. Supporting weak-attribution signals: package.json repository.url points at the npm package page rather than a real source repository, bugs.url is the same placeholder, author is the generic 'disksweep contributors', and CHANGELOG documents only v1.0.0 despite the published version being 3.0.0. The combination of opaque Windows-only native binary, doc/contents mismatch ('zero dependencies' marketing), placeholder metadata hiding maintainer identity, and a pre-wired dlopen loader is the staged-native-payload pattern.\n","modified":"2026-06-26T19:46:42.987234375Z","published":"2026-06-26T19:01:32Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-26T19:01:32Z","id":"IN-MAL-2026-007655","import_time":"2026-06-26T19:36:31.955017694Z","source":"amazon-inspector","sha256":"31a2c10aba7f3468458529214868e2d8acd9717eb7985c47ab10cf4aed64f87c","versions":["3.0.0"]},{"modified_time":"2026-06-26T19:01:37Z","id":"IN-MAL-2026-007656","import_time":"2026-06-26T19:36:32.180550802Z","source":"amazon-inspector","sha256":"49b8ad00b1eafea2b5bccbeee95cb7321b92c72f79ba917a9fc00f19104ebbcf","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/disksweep/v/3.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/disksweep/v/1.0.0"}],"affected":[{"package":{"name":"disksweep","ecosystem":"npm","purl":"pkg:npm/disksweep"},"versions":["3.0.0","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/disksweep/MAL-2026-6535.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"disksweep-3.0.0.tgz","hashes":{"sha512_sri":"sha512-b2HeUREPZqZTB/jWQ9c5EeR/RwXGvzzN9CJc+t9h7bI6/Ms/Nby6np6VqlM83cbew+AD82evVnu3yr3tQbs9gQ==","sha1":"2d7b75dc782a6003a52dae488e6144e4127ea939"}}],"evidence_files":[{"tlsh":"7c11524673d70270d0d77b4509afd011b96dd1c6770aede1d1aa03943ee08f04113dae","sha256":"ed6538c324fdf2f6f86a0529c597f75f4034c58a03eaf5ad463f37219612b2f7","path":"src/index.js"},{"tlsh":"f8418c3bc9a44d7b15b8e54ab8748611f899038f9390085b347c02ac0f7e1b7538fab9","sha256":"60ead84f0bb3467aa181eb0cbee6daa4253151f277f13b4f74feab746057d12f","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}