MAL-2026-10534

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-pull/MAL-2026-10534.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10534
Published
2026-07-14T03:36:50Z
Modified
2026-07-14T04:46:57.606049200Z
Summary
Malicious code in motion-pull (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4e50d15810c044b3b0355460fdeacea42d89944d351e74bcce9fd976f91915ea)

motion-pull@2.3.5 impersonates the pino logger (exports module.exports.pino = middleware, uses logger-themed keywords, ships a ./pino require target). When the exported function is invoked, index.js spawns a detached node child running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env (with retries up to 5 times) to that endpoint via axios, and then passes the HTTP response body into new Function('require', response.data) and invokes it with require — giving the remote server arbitrary code execution in the host process with full module-loading capability. Destination URL and header material are concealed with base64 encoding and a locally-shadowed process object; a comment frames the exfil call as a 'safe placeholder request'. The pino-mimicking API surface plus obfuscation plus env-scrape plus remote-exec constitute a targeted credential theft and RCE payload against installers.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T03:36:50Z",
            "versions": [
                "2.3.5"
            ],
            "sha256": "4e50d15810c044b3b0355460fdeacea42d89944d351e74bcce9fd976f91915ea",
            "id": "IN-MAL-2026-010371",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T04:31:59.384729221Z"
        }
    ]
}
References
Credits

Affected packages

npm / motion-pull

Package

Affected ranges

Affected versions

2.*
2.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "path": "lib/initializeCaller.js"
        },
        {
            "tlsh": "43016420ce788e2300ed2582482a0643b6628c136928fc2932da512c0f9d4bf11bf22d",
            "sha256": "ffd1dee0940532d4013e7649d0f11e445687c830d19ed44b5b8e83fa1bfc7efc",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "077dd285d78b1c8484fe816936ad6fc7744d2ce4",
                "sha512_sri": "sha512-bsFil33Xdix6/eLvL01Q7W7Ok3ndGkFsqPYIQCk4JdaIu9VSeko/kSqwA0TDzzBIPIS/q3gepCEYMg0hgNTLUA=="
            },
            "filename": "motion-pull-2.3.5.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-pull/MAL-2026-10534.json"