MAL-2026-3682

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@chahuadev/junk-sweeper-app/MAL-2026-3682.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3682
Published
2026-05-12T07:42:45Z
Modified
2026-05-13T20:22:33.302570Z
Summary
Malicious code in @chahuadev/junk-sweeper-app (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3d446150767f92344d8d0a699f5879bd746200fb8beb60554408699868f03d51)

The package's postinstall script (package.json line 10: "postinstall": "node install.js") unconditionally fetches a platform-native executable from https://pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev/Junk-Sweeper.exe or /Junk-Sweeper.AppImage, writes it into the package's bin/ directory, and chmods it 0755 on Linux (install.js lines 10, 14-22, 30-67). No SHA-256, signature, or size verification is performed, and HTTP redirects are followed blindly. The package's bin entrypoint (index.js line 32) then spawnSync's the downloaded binary with the user's argv and inherited stdio, giving the bucket owner a persistent, mutable remote-code-execution channel into any installer machine. The hosting domain is an opaque object-storage bucket, not a versioned release artifact from a transparent source (GitHub Releases with tag pinning, npm registry, etc.). Whether or not the current binary contents are malicious, the delivery mechanism allows the content to be swapped at any time without any version change to the npm package.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "3d446150767f92344d8d0a699f5879bd746200fb8beb60554408699868f03d51",
            "modified_time": "2026-05-12T19:03:07Z",
            "import_time": "2026-05-13T20:10:53.796741355Z",
            "id": "IN-MAL-2026-002219",
            "versions": [
                "2.0.3"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @chahuadev/junk-sweeper-app

Package

Name
@chahuadev/junk-sweeper-app
View open source insights on deps.dev
Purl
pkg:npm/%40chahuadev/junk-sweeper-app

Affected ranges

Affected versions

2.*
2.0.3

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@chahuadev/junk-sweeper-app/MAL-2026-3682.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "junk-sweeper-app-2.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-JgU8P+pUCZgEj1bsNG/Axg9cOw28X0rOknaKHs5rqgqeLxWzUorOdsnWczVmrAYq3FyFwhBDFm1X6GNeMPGoYw==",
                "sha1": "ed8178bea6e9714bbfbce8a4c75accb3c2a512dc"
            }
        }
    ],
    "domains": [
        "pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev"
    ],
    "urls": [
        "https://pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev/Junk-Sweeper.exe"
    ],
    "evidence_files": [
        {
            "path": "install.js",
            "sha256": "249a56c3a611a1e0f2000dea71b2cce5c6a6c7d3f68e6b747d1b6a53ed2a9aa8",
            "tlsh": "12511e5d1ef3a12442b6c0c96a8f853bb95ec0132209da4db4ec83597fd1a24c685eef"
        }
    ]
}