MAL-2026-3751
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-poisoning-pwn-demo/MAL-2026-3751.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3751
- Published
- 2026-05-14T19:25:08Z
- Modified
- 2026-05-15T07:52:29.324204Z
- Summary
- Malicious code in cache-poisoning-pwn-demo (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e)
The package's postinstall hook (
node -e "try { require('./dist/postinstall.js'); } catch(e) {}") loads dist/postinstall.js, which bundles a poisoned is-number module whose top-level IIFE unconditionally callschild_process.execwith a platform-specific command:open -a Calculatoron macOS,calc.exeon Windows,gnome-calculator/xcalcon Linux. The same IIFE is also present in dist/index.js (the package'smainentry), so any consumer that doesrequire('cache-poisoning-pwn-demo')orimports it will also spawn a child process with no user consent. The package self-describes as a supply-chain attack demonstration. While today's payload spawns only a calculator, the mechanism is a fully functional install-time and import-time arbitrary-command executor: any installer runningnpm installor any downstream library that transitively requires this package will execute the hardcoded command in the installer's context. The calculator is a demonstration payload; the delivery primitive is a real attack. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002694", "import_time": "2026-05-15T07:37:17.006181729Z", "sha256": "9a3d8f969f5fc981e4dcfeb1bef645e7ec18249943178fb845327d60ec8bc9d7", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:10Z", "versions": [ "0.1.29" ] }, { "id": "IN-MAL-2026-002692", "import_time": "2026-05-15T07:37:16.852935068Z", "sha256": "9c0bd2fe45166c1ea21732e716ad9cad37c7764d5cff37f0a488c71675c37126", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:08Z", "versions": [ "0.1.27" ] }, { "id": "IN-MAL-2026-002693", "import_time": "2026-05-15T07:37:16.955866089Z", "sha256": "dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:09Z", "versions": [ "0.1.28" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / cache-poisoning-pwn-demo
Package
- Name
- cache-poisoning-pwn-demo
- View open source insights on deps.dev
- Purl
- pkg:npm/cache-poisoning-pwn-demo
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "dist/postinstall.js",
"sha256": "cbd121fe9123f2dc6fbc4dddfd1f407dc86e2f3f435beb0ddd406550b06bd622",
"tlsh": "043166c1c8fe15b297266164e58b900338b6c512425cf688b63c22f3dfd606c45f99bb"
}
],
"package_integrity": [
{
"filename": "cache-poisoning-pwn-demo-0.1.29.tgz",
"hashes": {
"sha512_sri": "sha512-Dxn9iDu83fEU35Tbz89eKKfP9UuhD0uCsENLAIrIrXqGVSO1SlXr4g28vzWhKgdlviRp0MfVyhd9KBR6oCv2rA==",
"sha1": "09d8cc855a99ace23648aa6508bd243d46f4d4b3"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-poisoning-pwn-demo/MAL-2026-3751.json"