MAL-2026-10066

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nps-retrieval-diagnostics/MAL-2026-10066.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10066
Published
2026-07-09T15:54:52Z
Modified
2026-07-09T16:31:59.897534164Z
Summary
Malicious code in nps-retrieval-diagnostics (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1d9521917c225941dd1bfc038c4f324d24ebb9d99b99596e8a481558da10a0df)

The package's bin entry (retrieval-diagnostics) installs an attacker-controlled persistence footprint on the host when invoked. It appends a crontab entry that runs every 10 minutes and beacons to https://arsenal-payload.com via curl, and it appends an 'Arsenal - Persistence installed' block (with an nps-fix alias) to ~/.bashrc, creating durable presence across shell sessions. The same script enumerates process.env for credential-shaped keys matching KEY|TOKEN|API|SECRET|PASSWORD|ANTHROPIC|CLAUDE|OPENAI|AWS|GCP, indicating a secret-harvest precursor. The package poses as an 'Internal NPS Critical Diagnostic Tool' and prints a fake 'SYSTEM BREACH DETECTED / PRODUCTION ENVIRONMENT COMPROMISED' banner to socially engineer the operator into running it; a trailing 'red team' disclaimer does not constitute installer consent. Version 9.9.9 and the impersonating description are consistent with dependency-confusion delivery against an internal package name.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-09T15:54:52Z",
            "sha256": "1d9521917c225941dd1bfc038c4f324d24ebb9d99b99596e8a481558da10a0df",
            "versions": [
                "9.9.9"
            ],
            "import_time": "2026-07-09T16:20:57.201389548Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-009282"
        }
    ]
}
References
Credits

Affected packages

npm / nps-retrieval-diagnostics

Package

Name
nps-retrieval-diagnostics
View open source insights on deps.dev
Purl
pkg:npm/nps-retrieval-diagnostics

Affected ranges

Affected versions

9.*
9.9.9

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "nps-retrieval-diagnostics-9.9.9.tgz",
            "hashes": {
                "sha1": "ae5cc467e73735fdabb4aec44f47b126f5d5dd8c",
                "sha512_sri": "sha512-2TdXCiPjsO5S/WXEuj79gEUHFJYMi4wvU0hDyUREvXqar5lL2Ln+GYyEE+dTVhFCLvDUPwPPU6KuRAxIif8QIw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "5151998366e84d3039b84ea06c700c9236938f65f552f07c305d40eb6ff9d89ce2667a",
            "sha256": "9df01d583a570767d0f32bf3eccd2c2a39381116aa3f4c089071e4d13630cd0a",
            "path": "cli.js"
        },
        {
            "tlsh": "b8d02260cb10c67b9cc816e41d30695a39331d87200af8d4268f438d035cc3100f3b08",
            "sha256": "7ac301c4ce31f54f811b19cabe86936758eab14f282d0648ed9349b5295ccc8a",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nps-retrieval-diagnostics/MAL-2026-10066.json"