{"id":"MAL-2026-6789","summary":"Malicious code in @checkrhq/adjudication-api-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf)\npackage.json declares a preinstall lifecycle script that runs `curl` to POST installer reconnaissance data — hostname, current user (whoami), working directory, and uid/gid (id) — to a hardcoded webhook.site collector endpoint on every `npm install`. The package is published under an @checkrhq scope impersonating Checkr Inc. (author email uses checkr.com; description states 'This package is for testing only.') and ships no functional code, matching the canonical dependency-confusion beacon pattern targeting an organization's internal package namespace. Installing this package causes automatic outbound transmission of host and user identifiers to an anonymous third-party collector controlled by the publisher.\n\n## Source: ossf-package-analysis (dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b)\nThe OpenSSF Package Analysis project identified '@checkrhq/adjudication-api-client' @ 0.0.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-07-09T17:31:57.664248420Z","published":"2026-07-02T20:51:05Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.2"],"sha256":"dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b","source":"ossf-package-analysis","import_time":"2026-07-05T23:26:10.436945716Z","modified_time":"2026-07-02T20:51:05Z"},{"id":"IN-MAL-2026-009364","versions":["0.0.2"],"sha256":"8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf","source":"amazon-inspector","import_time":"2026-07-09T17:19:29.525560805Z","modified_time":"2026-07-09T17:01:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@checkrhq/adjudication-api-client/v/0.0.2"}],"affected":[{"package":{"name":"@checkrhq/adjudication-api-client","ecosystem":"npm","purl":"pkg:npm/%40checkrhq/adjudication-api-client"},"versions":["0.0.2"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","sha256":"a597b12e44707978fb72a4529ac01770e8a3561379e5527f6f09071588dbd0bf","tlsh":"7fe0c0602910a5337bd907a21824818fff74fd0fcf512c80e797916c0c892354ab710c"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-0MDn4mn+80uHXsDwFL4joTSX0d6vZFqmcQgP0XT5kIyux3iZgCXSUPMdjvFR5QJApU2BXy5qhzB9qYm5T2eZRA==","sha1":"31a4f8ebc66b500b47a7e2863c673c8b8d87c1c5"},"filename":"adjudication-api-client-0.0.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@checkrhq/adjudication-api-client/MAL-2026-6789.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}