MAL-2026-10078

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vybscan-testbed-inert-postinstall/MAL-2026-10078.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10078
Published
2026-07-09T15:44:47Z
Modified
2026-07-09T16:32:04.491077488Z
Summary
Malicious code in vybscan-testbed-inert-postinstall (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f4e6f35e49b7701bb75a88eb63fcf918c389272d5282093c8422d9e1f388dd38)

package.json declares a postinstall lifecycle script that runs id and reads the process environment, piping the collected host identity and environment variables to a remote endpoint via curl. This fires automatically on npm install without user interaction, causing the installer's environment variables (which routinely contain credentials, tokens, and API keys) and user/host identity to be transmitted off-host to an attacker-controlled destination.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-009213",
            "sha256": "f4e6f35e49b7701bb75a88eb63fcf918c389272d5282093c8422d9e1f388dd38",
            "import_time": "2026-07-09T16:20:51.765755146Z",
            "modified_time": "2026-07-09T15:44:47Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / vybscan-testbed-inert-postinstall

Package

Name
vybscan-testbed-inert-postinstall
View open source insights on deps.dev
Purl
pkg:npm/vybscan-testbed-inert-postinstall

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "vybscan-testbed-inert-postinstall-1.0.0.tgz",
            "hashes": {
                "sha1": "c76c4137137e98ecff98dc4b60996056b7de1577",
                "sha512_sri": "sha512-KKDDc/9TrBUyXAQi8jfsOeamLnsqV3dc1eSw7bgNywEKtBHyE5AhZfbxOwfDfZMO4jHfwDFqotSgHCHXn7//aQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "e9319581450592253ad001a8991f238fd735c32e42c4acd4d1ef429f874bd7722bb6bb",
            "sha256": "7926f6bc957d1d1037f3f413b8790785a144939c94455bd05827fd8e65f97a43",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vybscan-testbed-inert-postinstall/MAL-2026-10078.json"