MAL-2026-3767

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-ci-utils/MAL-2026-3767.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3767

Published

2026-05-14T19:25:21Z

Modified

2026-05-15T07:51:25.016669Z

Summary

Malicious code in node-ci-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1593e77b5e2763e7ace49c239accedfe30209faea11bc07cf3901a7253798444)

On require('node-ci-utils'), index.js runs a top-level _init() that, on Linux, creates a hidden directory ~/.local/share/.node_cache/, downloads an opaque binary from a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) with a spoofed Chrome User-Agent, writes it to .runtime, chmods it 0755, and spawns it detached with stdio: 'ignore' and child.unref() so it survives the parent process. No hash or signature verification is performed. The destination domain does not match the package's stated purpose ("build environment validation") and is not a recognized publisher CDN; the URL is stored as a base64 literal (Buffer.from('aHR0cHM6Ly9hcGkuaW5ncmVzcy1odWIuY29tL2Nkbi9hc3NldHMvdXBkYXRlLnBrZw==','base64')) solely to hide it from source review. Single-letter variable names (_D, _N, _P, _F, _U, _A) reinforce the evasion intent. Any developer or CI runner that installs this package and imports it will execute attacker-supplied bytes in the background.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002717",
            "import_time": "2026-05-15T07:37:17.807191252Z",
            "sha256": "1593e77b5e2763e7ace49c239accedfe30209faea11bc07cf3901a7253798444",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:21Z",
            "versions": [
                "2.1.4"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/node-ci-utils/v/2.1.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / node-ci-utils

Package

Name: node-ci-utils; View open source insights on deps.dev
Purl: pkg:npm/node-ci-utils

Affected ranges

Affected versions

2.*

2.1.4

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "d0edc02a27cdc550fdfe254d09bf4bbf6215dc85a28823b0ed0ac219ced796f3",
            "tlsh": "5f41fed60ff33231067360da5eeba42a7253c5537546dac8fd4c4188af8216882b5afc"
        }
    ],
    "package_integrity": [
        {
            "filename": "node-ci-utils-2.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-nPJ3v7+TQKW3QeFkZu2L2Wdt9bpNizjBQ9KwnJPHOtf9RC486Roq+iGxRfqyTYm0RdeWyKVTYTScLKOiiwbTEw==",
                "sha1": "a06dc48d3c080efd11bf5ddb99a80ba7f9bf10a1"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-ci-utils/MAL-2026-3767.json"