MAL-2026-10099

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polipoli-pak/MAL-2026-10099.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10099
Published
2026-07-09T22:52:20Z
Modified
2026-07-09T23:02:02.510826275Z
Summary
Malicious code in polipoli-pak (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f)

On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INITCWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INITCWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-009585",
            "import_time": "2026-07-09T22:56:36.883954615Z",
            "modified_time": "2026-07-09T22:52:20Z",
            "sha256": "a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f",
            "source": "amazon-inspector"
        },
        {
            "sha256": "af550191d3d4cb2984b26cf7a5aba9ae8c003fa781008b7d7821110d4eefa62d",
            "id": "IN-MAL-2026-009587",
            "modified_time": "2026-07-09T22:52:35Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-07-09T22:56:37.07679088Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / polipoli-pak

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "29514935dcc304a025ea79b7385998bcb040e067da03eeace456985a73125041",
            "tlsh": "bd71e9820e2442392ab629e053af6546e3b6d1014194f970f85ed0582fd12b4075bfee",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "polipoli-pak-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-rNxmFMVIYrd5sqNavgBJTZe9b9MENi6RuHLS0mOZ2gyiIyQEsDITvzGS/JYzT4uRNzHwHKQInCbCymzwjlL+/g==",
                "sha1": "6d422b1d6d5a405abed6076b0ae3f4b25471df9d"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polipoli-pak/MAL-2026-10099.json"