{"id":"MAL-2026-6581","summary":"Malicious code in ollama-helpers (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (52323ef2a3908b7db1565ae149128d053363ab2612c7bc3a938c3f2d63c285cf)\nscripts/postinstall.js executes automatically on `npm install` and performs a bulk harvest of installer-side identity and configuration data: OS hostname and username, ~/.gitconfig user email, recent committer emails parsed from.git/logs/HEAD, SSH public-key comments from ~/.ssh/*.pub, GitHub identity from ~/.config/gh/hosts.yml, GCP project/account, AWS profile names from ~/.aws/config, DNS search domain, CWD, CI provider, and parent project package.json author/repo. The collected JSON is POSTed via https.request to the hardcoded endpoint npm-package-logger-228835561205.europe-west1.run.app, an anonymous Google Cloud Run host unrelated to the package's claimed homepage (ollama-js.dev). The package additionally impersonates the Ollama ecosystem with fabricated publisher metadata (author 'Ollama JS Dev', homepage ollama-js.dev, repo github.com/ollama-js-dev) — none of which belong to the official Ollama project at ollama.com / github.com/ollama. The declared `main` (dist/index.js) is not shipped in the tarball; the only executable surface is the postinstall data-collection script, confirming the package is a pure exfiltration vehicle dressed as an Ollama helpers library. The 'telemetry' framing in the script is a cover story — scope (SSH key comments, committer history, AWS profile inventory, cloud account identifiers) far exceeds anything a legitimate version/platform telemetry beacon would collect, and no consent prompt or opt-out exists.\n","modified":"2026-06-29T07:16:41.929115431Z","published":"2026-06-29T05:51:09Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-29T07:09:10.29060707Z","sha256":"3f3531b5d58d5b2f2458c55fb8d72e35c63d40238a7774ecb6975f0e8ff326e8","versions":["1.2.1"],"source":"amazon-inspector","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-29T05:51:09Z","id":"IN-MAL-2026-007756"},{"import_time":"2026-06-29T07:09:10.461743596Z","versions":["1.2.2"],"source":"amazon-inspector","sha256":"52323ef2a3908b7db1565ae149128d053363ab2612c7bc3a938c3f2d63c285cf","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-29T05:51:17Z","id":"IN-MAL-2026-007757"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ollama-helpers/v/1.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ollama-helpers/v/1.2.2"}],"affected":[{"package":{"name":"ollama-helpers","ecosystem":"npm","purl":"pkg:npm/ollama-helpers"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.2.1","1.2.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"ollama-helpers-1.2.1.tgz","hashes":{"sha1":"59e8106a399b1ddff5ba03276eeec4152fb8586f","sha512_sri":"sha512-/TGVA2rjns9vl7wBsvM3p2M5NeM9c2Jjg6tmKpFWpW8dMj6N+arZDYFVdjVWUB67EbywZBNv1Nud/hdE65PiBQ=="}}],"evidence_files":[{"path":"scripts/postinstall.js","sha256":"e344f2776cee9978d7d0a6bb6ef0af65c182ff7704cfbc4a372260756d3458b1","tlsh":"1772b77105e605123762f95db74b2081f766f2237a08e8a0799db2095fce91493f3afb"},{"path":"package.json","sha256":"85bfb5e2a2df023909e2ead7ddbbde947cb2c0cd375db7ede1a71e13ef0adcb2","tlsh":"08012628da749a331bc911c548660a42b6790d6b0a58bc152b96522c8f5c2af15ff3ee"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ollama-helpers/MAL-2026-6581.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}