{"id":"MAL-2026-6554","summary":"Malicious code in insomnia-test-util-m4gester (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8)\nPackage ships no functional code and exists solely to execute a shell command on `npm install`. The `postinstall` lifecycle hook runs `echo PWNED_BY_DEEPLINK \u003e /tmp/pwned.txt`, dropping a marker file at `/tmp/pwned.txt` on the installer's machine. The self-identifying marker string (`PWNED_BY_DEEPLINK`) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version.\n","modified":"2026-06-28T07:01:42.317123452Z","published":"2026-06-28T06:00:51Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007693","sha256":"3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector","modified_time":"2026-06-28T06:00:51Z","import_time":"2026-06-28T06:50:42.503445456Z","versions":["1.0.0"]},{"id":"IN-MAL-2026-007694","sha256":"fda634406b6f4fd97c572c7d4a52d6e3201932fea144a157e955aa16fa394da4","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"source":"amazon-inspector","modified_time":"2026-06-28T06:01:00Z","import_time":"2026-06-28T06:50:42.619994359Z","versions":["1.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/insomnia-test-util-m4gester/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/insomnia-test-util-m4gester/v/1.0.1"}],"affected":[{"package":{"name":"insomnia-test-util-m4gester","ecosystem":"npm","purl":"pkg:npm/insomnia-test-util-m4gester"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.0","1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"330f0644d2b4251bbd87fe378b2d90e8a2fb20402a5bb916945ec654e488b6b9","path":"package.json","tlsh":"bfc02b6078a6217338ca13bb402b84866f41c80b03853e1403cb09b2d2877fea88f20c"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-s8XnwFBmWlhEoXY2Rrq32WzDUxZNHOpZcqk9dLposGOruDnv/IeBFvC+UwPIPs94X1kHUcJOg4BS1Md3KImTpQ==","sha1":"1390b8f8ce96514d32799fe083807263c29779dc"},"filename":"insomnia-test-util-m4gester-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-test-util-m4gester/MAL-2026-6554.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}