-= Per source details. Do not edit below this line.=-
On module load, the package's main entrypoint shells out via child_process.exec to run cat /etc/passwd and prints the contents to stdout. This fires unconditionally when any consumer require()s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T03:53:29Z",
"versions": [
"2.2.2"
],
"sha256": "fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7",
"import_time": "2026-07-14T04:32:00.222928009Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010385"
}
]
}{
"evidence_files": [
{
"tlsh": "7ce0d8052de65537933754b0a605591b330bc501123dea96a69a47347fc45a0cde12ea",
"sha256": "6b562c1c355be3ce3dc94b89eb42d815f0eec0319497af9ea53cec7b99f2f491",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "5afa4e695220aaaeeea271c5535445f02123671a",
"sha512_sri": "sha512-ZK7Kj5bnno1AccMVwSWUEzu0vj59T3JOTBA4rI8eE4BJ3cc/IDY3OVofiWUuuzRBQgqo6sy051N/NanzEfEcKA=="
},
"filename": "cbr-internal-utils-2.2.2.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cbr-internal-utils/MAL-2026-10530.json"