MAL-2026-10530

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cbr-internal-utils/MAL-2026-10530.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10530
Published
2026-07-14T03:53:29Z
Modified
2026-07-14T04:47:00.354203738Z
Summary
Malicious code in cbr-internal-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7)

On module load, the package's main entrypoint shells out via child_process.exec to run cat /etc/passwd and prints the contents to stdout. This fires unconditionally when any consumer require()s the package — no user action or configuration is needed. The package has an internal-sounding name and empty author/description metadata, consistent with a dependency-confusion probe or reconnaissance payload rather than a legitimate library. Reading /etc/passwd serves no library purpose and enumerates local user accounts on the installer's host.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:53:29Z",
            "versions": [
                "2.2.2"
            ],
            "sha256": "fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7",
            "import_time": "2026-07-14T04:32:00.222928009Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010385"
        }
    ]
}
References
Credits

Affected packages

npm / cbr-internal-utils

Package

Affected ranges

Affected versions

2.*
2.2.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "7ce0d8052de65537933754b0a605591b330bc501123dea96a69a47347fc45a0cde12ea",
            "sha256": "6b562c1c355be3ce3dc94b89eb42d815f0eec0319497af9ea53cec7b99f2f491",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "5afa4e695220aaaeeea271c5535445f02123671a",
                "sha512_sri": "sha512-ZK7Kj5bnno1AccMVwSWUEzu0vj59T3JOTBA4rI8eE4BJ3cc/IDY3OVofiWUuuzRBQgqo6sy051N/NanzEfEcKA=="
            },
            "filename": "cbr-internal-utils-2.2.2.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cbr-internal-utils/MAL-2026-10530.json"