-= Per source details. Do not edit below this line.=-
On npm install, the declared preinstall script (preinstall.js) POSTs the installer's full process.env, os.hostname(), os.platform(), cwd, container-detection artifacts (/.dockerenv, /proc/1/cgroup, /proc/self/mountinfo), and the output of shell reconnaissance commands (id, whoami, hostname, ps aux) to http://101.35.44.248 over plain HTTP. The script additionally issues curl requests to the Alibaba Cloud instance metadata service at 100.100.100.200, including the latest/meta-data/ram/security-credentials/ path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.
{
"malicious-packages-origins": [
{
"sha256": "80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42",
"id": "IN-MAL-2026-009101",
"import_time": "2026-07-09T16:20:40.706334025Z",
"versions": [
"1.0.0"
],
"modified_time": "2026-07-09T15:28:28Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "00f545b1474cd7ceb299c7ff2e7b4ad7720e1b9634876e45f178874d218ff998",
"tlsh": "3b5163c35775b3305aa18a99e69b3101a723f54bab04ebd4b18c82220f5d81826bbad4",
"path": "preinstall.js"
},
{
"sha256": "b142c38288be48cf988ac54c367d7c2a6e58b0cf8792c04ecc5aea067b53645d",
"tlsh": "9dd0a7244e11d87719c45ae26a638506fea56d1a025c7c4873c75109838ebb284bf70e",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "antsrcsrctest-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-weciHP6EFl97SfBU0rEkhm869yXnUu8AlWa5hoM31fJ6iAB34B5DsWjgkI4T7m1U4DKA2Bm3ZBoVILsQ/9u/lQ==",
"sha1": "42d2f1304f875cf0c34f8a86aeef3cb94eb4c89f"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/antsrcsrctest/MAL-2026-10038.json"