MAL-2026-3764

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/glob-helper/MAL-2026-3764.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3764

Published

2026-05-14T19:25:10Z

Modified

2026-05-15T07:50:04.893412Z

Summary

Malicious code in glob-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (091b8ee02b80a8a3fda11c15a6d0b8f657b639100244a4398d046ded5854eb64)

glob-helper@1.0.2 is a malicious typosquat with no legitimate functionality. Its index.js is a stub; package.json declares scripts.postinstall: node postinstall.js, which fires automatically on npm install. postinstall.js performs three concurrent credential-theft operations and POSTs the results as JSON over plain HTTP to a hardcoded bare-IP C2 at http://149.28.127.35:8888:

Reads ~/.npmrc (extracting authToken and npm* tokens), ~/.env (regex-matching NPMTOKEN, NPMAUTHTOKEN, AWSACCESSKEYID, AWSSECRETACCESSKEY, GITHUBTOKEN), and ~/.git-credentials.
Enumerates Chrome/Brave/Edge/Chromium/Vivaldi/Opera profile directories under ~/.config/*, walks Local Extension Settings/<walletId> for a hardcoded list of 71 crypto-wallet extension IDs (MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom, Coinbase, Trust, Ledger Live, Trezor, etc.), and greps log contents for vault, seed, mnemonic, privateKey, password, encrypted.
Walks ~/Documents, ~/Desktop, ~/Downloads for files whose names match seed|backup|wallet|phrase|metamask|phantom|vault|key|private, opens each, counts BIP39 wordlist matches, and includes file path + content preview in the exfil payload when 8+ BIP39 words are present.

The package.json keywords list lodash and the description is Glob Helper utility helpers, but index.js contains the author's own comment lodash-js — Just a dummy module. The real payload is in postinstall.js. Installing this package on any developer or CI machine leaks npm publish tokens, AWS keys, GitHub tokens, browser-stored wallet data, and any cryptocurrency seed backups present in the user's home directories.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002699",
            "sha256": "01930376eeb72450ef79dabbce9d88507e2ba93123f0356b95287fc674b72619",
            "modified_time": "2026-05-14T19:25:11Z",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-05-15T07:37:17.20250508Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002817",
            "sha256": "542fe088d2fee135e2cb5178360bdb390a963bd1be4dd816fb5d4dbd27b7ef87",
            "modified_time": "2026-05-15T03:19:42Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-15T07:37:20.809961887Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002816",
            "sha256": "74e3e047bbade54548ae02c0f98690df9a5c9392d94592600d71bc2e3de575e6",
            "modified_time": "2026-05-15T03:19:17Z",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-05-15T07:37:20.73044623Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002818",
            "sha256": "a5eda82b5edd6f7dc941f908a5d7d8b8dc76053f5bf141a97dbb9899c6de75cc",
            "modified_time": "2026-05-15T03:20:47Z",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-05-15T07:37:20.897695285Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002701",
            "sha256": "bf3e17ad2a01915e88251e0bb744239e1f1af4e8ed0f49ca2b0c433d9ef1814c",
            "modified_time": "2026-05-14T19:25:12Z",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-05-15T07:37:17.312465531Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002703",
            "sha256": "d2029b1bd45066f0e1f69d954404a7ad1480cceddc9850066c25519445fed1c4",
            "modified_time": "2026-05-14T19:25:13Z",
            "versions": [
                "2.0.0"
            ],
            "import_time": "2026-05-15T07:37:17.429481838Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002700",
            "sha256": "091b8ee02b80a8a3fda11c15a6d0b8f657b639100244a4398d046ded5854eb64",
            "modified_time": "2026-05-14T19:25:12Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-05-15T07:37:17.241357268Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002696",
            "sha256": "2e4d100a1dc097212704ad4a8a071b2fa2b7aa6541181a5424cc013e2f7dfbf1",
            "modified_time": "2026-05-14T19:25:10Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-15T07:37:17.087257387Z",
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-002702",
            "sha256": "3ccf5efb2c9798c39005a553f2cc29d1541332cabee48e21916bed2d78ce2dd0",
            "modified_time": "2026-05-14T19:25:13Z",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-05-15T07:37:17.365540983Z",
            "source": "amazon-inspector"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / glob-helper

Package

Name: glob-helper; View open source insights on deps.dev
Purl: pkg:npm/glob-helper

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "6a5dffd7836eec6f4271dac9ba85466a40bc98ca2b7609172dfce52d0cb70246",
            "tlsh": "f4a165d558a068145dab82e53747b020ae15e183370eddf0f74c0aa48fc0e69e5f3bda"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "742a11d3c968ed8dcc757ff4ee60307d225637c5",
                "sha512_sri": "sha512-PuxC/oS8mw63zwSquTonCH8JxU1OHJpOJSu7xfwNvfJkj7/RpLvlba/LvWQPCLNrZf81CuSKWG6UdNIQ7NLdxg=="
            },
            "filename": "glob-helper-1.0.1.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/glob-helper/MAL-2026-3764.json"