MAL-2026-3752

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cdp-core/MAL-2026-3752.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3752

Published

2026-05-15T03:08:53Z

Modified

2026-05-15T07:52:30.016201Z

Summary

Malicious code in cdp-core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed)

The package ships cdpinject.js, which combines childprocess, fs, http/https, and base64 encoding to gather system information and exfiltrate it over the network. The file imports http, https, fs, and child_process at the top, reads process.env.USER and other environment data, executes shell utilities (including ping for host reconnaissance), reads files via fs.readFileSync, base64-encodes the collected content (toString('base64') at L205 and L209), and posts it out via https.request/http.get with a hardcoded hostname and POST body. This is the canonical sysinfo+filesystem credential-stealer shape: the package's only on-load effect is to harvest installer-side data and ship it to a network destination. The package name ("cdp-core") and absence of any legitimate library functionality consistent with this code further indicate the file's purpose is exfiltration rather than a documented feature.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c7363417d8658ee8f5fe919dca59c63eedf84d4b9b1023dffad3e9e7bf8e45f0",
            "id": "IN-MAL-2026-002809",
            "source": "amazon-inspector",
            "modified_time": "2026-05-15T03:08:53Z",
            "versions": [
                "1.0.6"
            ],
            "import_time": "2026-05-15T07:37:20.311931409Z"
        },
        {
            "sha256": "dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed",
            "id": "IN-MAL-2026-002812",
            "source": "amazon-inspector",
            "modified_time": "2026-05-15T03:11:53Z",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-05-15T07:37:20.506605512Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cdp-core

Package

Name: cdp-core; View open source insights on deps.dev
Purl: pkg:npm/cdp-core

Affected ranges

Affected versions

1.*

1.0.4

1.0.6

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cdp-core/MAL-2026-3752.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "40ffbf5006c5dd3c7977b4c8cf9dda01f978643f79fa86744faf5fbce669295a",
            "tlsh": "6c42a48aa5fb203584b7b0755b5ba8477239d013b140cea47e4c83951fc6dbc92b2bed",
            "path": "cdp_inject.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "cdp-core-1.0.6.tgz",
            "hashes": {
                "sha1": "b9b0fda4d3f5e30caab94fb86ea20aa3dbf0563e",
                "sha512_sri": "sha512-0sqZnup28jHgkVjrKUhw1KqpqX6URgwwx/R5yHWDEG9liuA4spcYYM9/UU1MZNRZkGyXWr+dE8G9jq9qpGMjLw=="
            }
        }
    ]
}