MAL-2026-10038

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/antsrcsrctest/MAL-2026-10038.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10038
Published
2026-07-09T15:28:28Z
Modified
2026-07-09T16:31:52.220294723Z
Summary
Malicious code in antsrcsrctest (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42)

On npm install, the declared preinstall script (preinstall.js) POSTs the installer's full process.env, os.hostname(), os.platform(), cwd, container-detection artifacts (/.dockerenv, /proc/1/cgroup, /proc/self/mountinfo), and the output of shell reconnaissance commands (id, whoami, hostname, ps aux) to http://101.35.44.248 over plain HTTP. The script additionally issues curl requests to the Alibaba Cloud instance metadata service at 100.100.100.200, including the latest/meta-data/ram/security-credentials/ path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42",
            "id": "IN-MAL-2026-009101",
            "import_time": "2026-07-09T16:20:40.706334025Z",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-09T15:28:28Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / antsrcsrctest

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "00f545b1474cd7ceb299c7ff2e7b4ad7720e1b9634876e45f178874d218ff998",
            "tlsh": "3b5163c35775b3305aa18a99e69b3101a723f54bab04ebd4b18c82220f5d81826bbad4",
            "path": "preinstall.js"
        },
        {
            "sha256": "b142c38288be48cf988ac54c367d7c2a6e58b0cf8792c04ecc5aea067b53645d",
            "tlsh": "9dd0a7244e11d87719c45ae26a638506fea56d1a025c7c4873c75109838ebb284bf70e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "antsrcsrctest-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-weciHP6EFl97SfBU0rEkhm869yXnUu8AlWa5hoM31fJ6iAB34B5DsWjgkI4T7m1U4DKA2Bm3ZBoVILsQ/9u/lQ==",
                "sha1": "42d2f1304f875cf0c34f8a86aeef3cb94eb4c89f"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/antsrcsrctest/MAL-2026-10038.json"