{"id":"MAL-2026-6553","summary":"Malicious code in insomnia-plugin-poc-m4gester2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86)\nPackage ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs `echo PWNED_BY_DEEPLINK \u003e /tmp/pwned.txt` on every `npm install`. This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept (`poc-m4gester`) and adopts the `insomnia-plugin-*` namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.\n","modified":"2026-06-28T07:01:42.292862157Z","published":"2026-06-28T06:00:35Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"import_time":"2026-06-28T06:50:42.719447492Z","id":"IN-MAL-2026-007695","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-28T06:01:08Z","source":"amazon-inspector","sha256":"1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86"},{"id":"IN-MAL-2026-007691","versions":["1.0.0"],"import_time":"2026-06-28T06:50:42.297530464Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-28T06:00:35Z","source":"amazon-inspector","sha256":"a07696df593b382127f1eedea455af911e9e94591c0526d0b191576b411decf9"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/insomnia-plugin-poc-m4gester2/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/insomnia-plugin-poc-m4gester2/v/1.0.0"}],"affected":[{"package":{"name":"insomnia-plugin-poc-m4gester2","ecosystem":"npm","purl":"pkg:npm/insomnia-plugin-poc-m4gester2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.1","1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-plugin-poc-m4gester2/MAL-2026-6553.json","indicators":{"evidence_files":[{"tlsh":"82d02350fda6743338cd126948774047af11451b02057e1413e714756bcf7faa4e7358","path":"package.json","sha256":"2dc185f10b0d7a8f1d9c7d3d445be50c98407cbdd6b19d3c336c9a2809a03eea"}],"package_integrity":[{"hashes":{"sha1":"ebaf9c96403e1bd7d7e4d9c5d7cb32f762ae9b6f","sha512_sri":"sha512-PM4wyNL+mA5TXcA4y2juLm7Q6yOC+jVlPlhoy/PCOTSxVOfRt9DcM31h2nIIqa5ZdhBi5Yo9dz7JOyccgfmfBA=="},"filename":"insomnia-plugin-poc-m4gester2-1.0.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}