MAL-2026-10509

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test_adminet/MAL-2026-10509.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10509
Published
2026-07-13T21:59:21Z
Modified
2026-07-13T22:31:56.587744183Z
Summary
Malicious code in test_adminet (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c)

The package's package.json declares a preinstall hook that runs index.js. On npm install, index.js uses child_process.exec to curl-POST installer identifiers ($(whoami), $(hostname), id output) together with the contents of /etc/passwd, /etc/hosts, and /etc/shadow (base64-encoded and stuffed into the User-Agent header) to a hardcoded webhook.site endpoint. The /etc/shadow read attempts to harvest local password hashes; if the install runs as root (common in CI/Docker), hashes are transmitted off-host. Behavior fires automatically on default npm install with no user interaction.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:59:21Z",
            "versions": [
                "99.9.9"
            ],
            "sha256": "e1971734ce6221624b53d3647a5881c1fe0bc7f8ae4d383a5ff2a9f5080da57c",
            "id": "IN-MAL-2026-010335",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T22:21:56.489997805Z"
        }
    ]
}
References
Credits

Affected packages

npm / test_adminet

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "dff0d44758f4dd3673a518bceb04481fb74bf9405136b75254ef8a25234c85844551f7",
            "sha256": "55ad8bb63e16a89373566a35b5241f6b7bec0b9b24d29cceb431e622c6fc165f",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "2ed67e37878a7a8f01ce1a2ee89d0a078a3b8507",
                "sha512_sri": "sha512-Gz120JatIgxuYApFPN3GwcEZ3g+ntpo1RCpG0pjTWkhvOJlw4vTIIAUFvjFDDjeKFYZ8qtqm/CvxWrTMxMZ0PA=="
            },
            "filename": "test_adminet-99.9.9.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test_adminet/MAL-2026-10509.json"