{"id":"MAL-2026-7011","summary":"Malicious code in events-alias (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9)\nThe package's preinstall hook (\"node index.js\") runs automatically on `npm install` and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of `whoami`/`id`, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package name 'events-alias' mimics the ubiquitous Node core 'events' module namespace but ships only this install-time recon/exfil payload; an undeclared ~10KB binary blob named 'i' also ships in the tarball but is not referenced from the executed code. Installing this package leaks installer identity/host reconnaissance data to attacker-controlled infrastructure.\n","modified":"2026-07-08T17:46:44.041219791Z","published":"2026-07-08T17:31:00Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-08T17:40:19.849331827Z","source":"amazon-inspector","sha256":"164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9","modified_time":"2026-07-08T17:31:00Z","id":"IN-MAL-2026-008171","versions":["15.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-alias/v/15.0.1"}],"affected":[{"package":{"name":"events-alias","ecosystem":"npm","purl":"pkg:npm/events-alias"},"versions":["15.0.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"events-alias-15.0.1.tgz","hashes":{"sha512_sri":"sha512-f3QbnSOf+8yT0+Od5wvtYZMmZMmVcQgRG1CB/UJ5RBpgLC7fmq3yWVLZnv2uPMc5esUKRzlzqJ0FtyYse6rPgw==","sha1":"e76b699e268e839e92f9b6f29ae91b72fa5ccfd9"}}],"evidence_files":[{"sha256":"97807c86a507cbabc4bbb48a63d172bf5119a7cbf9b6e17284daf3146ca1cb78","path":"index.js","tlsh":"3b5141c515f65a251ba7b8494a4f9402b227e0033606de55bfcc8740af9537c9bf0bf6"},{"tlsh":"20d05e204d21552325c50256182a948762618e6f24047c08a39b182c81ce27798ff35d","sha256":"ac0e68353e0abc16a670e391f14219e95ccee234f78e3e1b157cc08973aec790","path":"package.json"},{"path":"i","tlsh":"d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123","sha256":"5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-alias/MAL-2026-7011.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}