MAL-2026-3765

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/joi-pack/MAL-2026-3765.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3765

Published

2026-05-14T19:25:32Z

Modified

2026-05-15T07:48:34.131686Z

Summary

Malicious code in joi-pack (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a)

The package declares a postinstall hook ("postinstall": "node postinstall.js" in package.json) that runs unconditionally on npm install. The script's own header calls itself a "Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace." It performs two distinct credential-theft behaviors:

1) Installer secret harvest: reads ~/.npmrc, ~/.env, and ~/.git-credentials; extracts npm auth tokens (regex npm_[a-zA-Z0-9]{36}), API keys, database URLs, cloud credentials, EVM private keys (0x[a-fA-F0-9]{64}), and git credentials; POSTs the JSON result to the hardcoded bare-IP endpoint http://149.28.127.35:8888 over plain HTTP (configurable only via C2_URL env).

2) Crypto wallet stealer: enumerates 71 hardcoded Chrome/Brave/Edge/Firefox wallet extension IDs (MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa, Coinbase, Trust, Ledger, etc.), walks browser profile Local Extension Settings/<walletId> LevelDB .log files matching regex for vault, mnemonic, seed, privateKey, password, encrypted, and recursively scans ~/Documents, ~/Desktop, ~/Downloads, ~/OneDrive, ~/Dropbox, ~/Google Drive, ~/backup, ~/keys, ~/wallet, ~/crypto for seed-phrase and keystore files, exfiltrating hits to the same C2.

The package's advertised purpose (keywords: [lodash, utilities], description "Lodash JavaScript utilities bundle", internal name lodash-js) does not match the name joi-pack and does not match the payload — index.js is an explicit stub ("Just a dummy module. The real payload is in postinstall.js"). Name and keywords are cover-story framing piggybacking on the popular joi and lodash packages.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:25:33Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "3caea54cdc5f9f780e43fbc5cab85bda8c3f7ee37b565296c18db6713f99c794",
            "id": "IN-MAL-2026-002733",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:18.540208109Z"
        },
        {
            "modified_time": "2026-05-14T19:25:33Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a",
            "id": "IN-MAL-2026-002734",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:18.585310981Z"
        },
        {
            "modified_time": "2026-05-14T19:25:32Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "dfc3730af0bd203e8c642cd12bd2a6cf4f0ba892e633e58781dfade6db085063",
            "id": "IN-MAL-2026-002732",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:18.462166601Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / joi-pack

Package

Name: joi-pack; View open source insights on deps.dev
Purl: pkg:npm/joi-pack

Affected ranges

Affected versions

1.*

1.0.3

1.0.4

1.0.5

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
            "tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb",
            "path": "postinstall.js"
        },
        {
            "sha256": "5efe7ef267152e45c516d2b928ae01d731e9fccf641cf90512ad95b6e4ad98ac",
            "tlsh": "66d022004d38f25725678257eb21ca566fe05b8c12258110098e8b80860ab0cc43aae4",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-K2ozPUo6VUxVKtX42CwyLRIzYJZYSBM8JLbL9sOKre+UuYSf/KCWJAOIRBAKna2FNpctF5Z8GBYl+E0Sy0QFYQ==",
                "sha1": "59d723ef4f38726fcf849a50ac9d87a9ae9fde10"
            },
            "filename": "joi-pack-1.0.4.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/joi-pack/MAL-2026-3765.json"