MAL-2026-3766

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nock-helper/MAL-2026-3766.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3766

Published

2026-05-14T19:24:59Z

Modified

2026-05-15T07:50:54.159423Z

Summary

Malicious code in nock-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d1070514eba7a5f0fedc2760db7710399d38e070d98dc99910d3b49923959820)

The package declares scripts.postinstall: node postinstall.js, which runs automatically on npm install. The script is an explicit credential harvester and crypto-wallet stealer. It reads ~/.npmrc (npm _authToken and npm_* tokens), ~/.env (scraping keys matching TOKEN/APIKEY/DBURL/PAYMENT/CLOUD/EMAIL/WEBHOOK patterns), and ~/.git-credentials. It then enumerates Chrome, Brave, Edge, Chromium, Vivaldi, and Opera browser profile directories (Default, Profile 1, Profile 2) reading Local Extension Settings for 71 hardcoded crypto wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, and others), and scans ~/Documents / ~/Desktop for seed phrase / mnemonic / keystore files. Collected data is POSTed to http://149.28.127.35:8888 (hardcoded bare-IP C2, overridable via C2_URL env). The package further disguises itself: index.js is a dummy module self-describing as 'Lodash JavaScript utilities bundle' with the comment The real payload is in postinstall.js, and the package name nock-helper rides on both nock and lodash brand recognition. This matches multiple attack fingerprints simultaneously: hardcoded C2 in lifecycle script, browser wallet extension ID enumeration, credential-file scraping, and deceptive package identity.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002675",
            "import_time": "2026-05-15T07:37:15.890130557Z",
            "sha256": "1e6129616a9cf7f471c616f4cee8a7ae2d0c34a62eb81eb7f974aeb96b9d6e4d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:00Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-002673",
            "import_time": "2026-05-15T07:37:15.803763968Z",
            "sha256": "a4b3e5ef3f40fab37240849e4e879b5568118f7672f311e1d46f9d543c0ac9f1",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:59Z",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-002674",
            "import_time": "2026-05-15T07:37:15.85174606Z",
            "sha256": "d1070514eba7a5f0fedc2760db7710399d38e070d98dc99910d3b49923959820",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:59Z",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "id": "IN-MAL-2026-002677",
            "import_time": "2026-05-15T07:37:15.9671984Z",
            "sha256": "30c36950f1300f5ef0dc3d4475b3660e764d63ba96b6d9a688f16f76815b2773",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:01Z",
            "versions": [
                "2.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-002676",
            "import_time": "2026-05-15T07:37:15.933713482Z",
            "sha256": "7d4c167b4f48f89a3362df31616bdab08b1edf641e7d87c74b8d3e5840fde2bb",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:01Z",
            "versions": [
                "1.0.5"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / nock-helper

Package

Name: nock-helper; View open source insights on deps.dev
Purl: pkg:npm/nock-helper

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
            "tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb"
        },
        {
            "path": "package.json",
            "sha256": "03c624bd3e4b5f93ef13ca3787c701d6676ecda6bdd6dc779d62efe0dc496151",
            "tlsh": "b5d02b208a21ce3320c497520917514569714d0b03447c1833db116d479f3ba4cff60e"
        }
    ],
    "package_integrity": [
        {
            "filename": "nock-helper-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-S26bYOuPXkJuMM9tkPEycw+OFxis2bhipxhQXgG+qefpqfTK5T6UM3I7LvZDwRilJEPP5XxujtLz/IATnj4IJw==",
                "sha1": "66a1a07197869792cca174b1f5c8c9e1080c12d5"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nock-helper/MAL-2026-3766.json"