MAL-2026-3756

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheerio-tool/MAL-2026-3756.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3756

Published

2026-05-14T19:24:51Z

Modified

2026-05-15T07:52:46.954029Z

Summary

Malicious code in cheerio-tool (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2d51a2885f4eaff732d1ef7ab065b04d21c59263b1212d5b92b92c87914ef879)

cheerio-tool typosquats the popular cheerio HTML parser (README claims 'Cheerio Tool utility helpers', keywords are 'lodash','utilities', and index.js self-describes as 'lodash-js — Just a dummy module. The real payload is in postinstall.js'). On npm install, the declared postinstall script node postinstall.js runs a credential harvester and crypto-wallet scanner. It reads installer secret files including ~/.npmrc, ~/.env, and ~/.git-credentials, extracts npm auth tokens (_authToken, npm_[A-Za-z0-9]{36}), API keys, database URLs, AWS/GCP cloud credentials, payment keys, and webhook secrets. It enumerates Chrome, Brave, Edge, Chromium, Vivaldi, and Opera profile directories, iterates Local Extension Settings/<wallet-id> against 71 hardcoded browser wallet extension IDs (MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom, Coinbase, Trust, Ledger, Trezor, etc.), and regex-matches vault, mnemonic, seed phrase, private key, and encrypted-blob material from the LevelDB .log files. It additionally scans ~/Documents, ~/Desktop, and ~/Downloads for files matching seed/backup/wallet/phrase/crypto/metamask/phantom/vault/key/private and checks contents against BIP-39 wordlists. Collected data is bundled with hostname and username and POSTed to hardcoded http://149.28.127.35:8888 (plain HTTP, bare IPv4, overridable via C2_URL env var). The source self-identifies as 'Token harvester + Crypto wallet scanner — Runs on npm install. Silent. Zero trace.' Any developer or CI system that installs this package loses their npm publish token, project environment secrets, git credentials, and browser-resident cryptocurrency wallet seed phrases.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:24:51Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "085d4e53d556a496d4d5295afbdf94d97c4e361e84486c19f3095de48363375d",
            "id": "IN-MAL-2026-002657",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.490402313Z"
        },
        {
            "modified_time": "2026-05-14T19:24:51Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "2d51a2885f4eaff732d1ef7ab065b04d21c59263b1212d5b92b92c87914ef879",
            "id": "IN-MAL-2026-002656",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.436068273Z"
        },
        {
            "modified_time": "2026-05-14T19:24:52Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "e181c3d755ca04ad5d20706f0e3461d1d7c3e17f91f34c7f5d90819bcf255b82",
            "id": "IN-MAL-2026-002658",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.554392041Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cheerio-tool

Package

Name: cheerio-tool; View open source insights on deps.dev
Purl: pkg:npm/cheerio-tool

Affected ranges

Affected versions

1.*

1.0.3

1.0.4

1.0.5

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
            "tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CbrJsbjEuVvRYDeEUOO/nHHL3r68ZjWAK2JwOFlC8Xz/1VVWdiidFrkpdZ/NIVgCBzpAKjLKDN/OQBe1qxKcYg==",
                "sha1": "39d571d10289f83ff52e84b4ff8584510e87c75a"
            },
            "filename": "cheerio-tool-1.0.4.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheerio-tool/MAL-2026-3756.json"