MAL-2026-10062

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/es6-codify/MAL-2026-10062.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10062
Published
2026-07-09T15:46:22Z
Modified
2026-07-09T16:31:57.428059698Z
Summary
Malicious code in es6-codify (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f)

The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints (dist/index.cjs and the ESM build) execute a top-level call on require/import that opens an HTTPS POST to the hardcoded host j5dcw95v-3000.inc1.devtunnels.ms at path /post-d. The request body is a JSON blob containing the full process.env of the importing process, together with process.cwd(), process.version, and process.argv. Any environment variable held by the installer at the moment this package is loaded (CI secrets, cloud credentials, tokens, database URLs) is transmitted to the attacker-controlled Microsoft dev-tunnel host. The exfiltration fires unconditionally on module load and is duplicated across the CJS and ESM entrypoints so it triggers regardless of how the package is resolved. There is no network functionality in the advertised API, so the network I/O has no benign explanation.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "217d3f911643e24dc7767f6ca16a8e60199819ea084db7ee55b8e7d74430db33",
            "id": "IN-MAL-2026-009230",
            "import_time": "2026-07-09T16:20:52.929052091Z",
            "modified_time": "2026-07-09T15:47:14Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.2.0"
            ],
            "id": "IN-MAL-2026-009234",
            "import_time": "2026-07-09T16:20:53.213778177Z",
            "modified_time": "2026-07-09T15:47:46Z",
            "sha256": "39fc72e58c9fcc953659b53bc2e644d5e588b2dbe4000ad2d1c79c1662d1fa37",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.0.0"
            ],
            "id": "IN-MAL-2026-009231",
            "import_time": "2026-07-09T16:20:52.983381798Z",
            "modified_time": "2026-07-09T15:47:22Z",
            "sha256": "3f1cf9de60a87ebc3b2367546d4e07c0d34152bc5708a94953eae79bb550da1e",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4521a0e0e2cb609fdd068bbc0749306e9c416854c7035bedeaeaf6d2fc8ecee2",
            "id": "IN-MAL-2026-009224",
            "modified_time": "2026-07-09T15:46:22Z",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-07-09T16:20:52.513303512Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "91a28ed2bb0eb6800a866c6ca71cb3fd31701f6b1b2b6eab0d86b09cf16be96d",
            "id": "IN-MAL-2026-009227",
            "modified_time": "2026-07-09T15:46:48Z",
            "versions": [
                "2.1.0"
            ],
            "import_time": "2026-07-09T16:20:52.70872663Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.3.0"
            ],
            "id": "IN-MAL-2026-009229",
            "import_time": "2026-07-09T16:20:52.876689928Z",
            "modified_time": "2026-07-09T15:47:06Z",
            "sha256": "9ef411e013692f392703190ba3bfb76d10cec0baff227fad1317e1c61ae5af5d",
            "source": "amazon-inspector"
        },
        {
            "sha256": "e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f",
            "id": "IN-MAL-2026-009228",
            "import_time": "2026-07-09T16:20:52.798694167Z",
            "modified_time": "2026-07-09T15:46:59Z",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.4.0"
            ],
            "id": "IN-MAL-2026-009226",
            "import_time": "2026-07-09T16:20:52.625981454Z",
            "modified_time": "2026-07-09T15:46:37Z",
            "sha256": "fde9b9993861b8d7c618e09e51586ed83a303463fb5aad2de9010551dc2e89ee",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / es6-codify

Package

Affected ranges

Affected versions

1.*
1.0.1
1.1.0
1.2.0
1.3.0
1.4.0
2.*
2.0.0
2.1.0
2.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "es6-codify-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-OWa7aH4Y84Ezv51vXyqHWebIBVqZ0yFBTvCXGEgrhzp5LhnbqfQDw1s5CSziDfTRDv0imSqdbw3h/xRExn6xPQ==",
                "sha1": "2ec3d873f6b1ed0987da3f12099665a184a5c40d"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "82366888d100c0f632bd3ee2dee1485d3c4a4b9386360776538ad67572d163da",
            "tlsh": "a491e90331b4326c03f260ea352dda8bdadd42608265f4a4a79ca16017de57f99f0fca",
            "path": "dist/index.cjs"
        },
        {
            "tlsh": "b441a50270f4149522f7b05a380dd2979d95412063a5fa98a21d60502fe927fdaf2fcc",
            "sha256": "f3744bdf4998d822d1a2f9d40291a0d69d13639eb5631388752b855344e8b49f",
            "path": "dist/index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/es6-codify/MAL-2026-10062.json"