MAL-2026-3771

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-logger-canary/MAL-2026-3771.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3771

Published

2026-05-14T19:25:32Z

Modified

2026-05-15T07:50:28.978061Z

Summary

Malicious code in request-logger-canary (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035)

request-logger-canary@1.0.0 ships a preinstall.js that, when npm install runs, opens a TCP socket to 52.74.242.200:8851 and pipes an interactive /bin/sh to the remote endpoint (stdin/stdout/stderr all bridged to the socket). The code executes unconditionally at install time via scripts.preinstall — there is no guard, no if (false), no environment check. The README falsely claims the reverse shell is dead code wrapped in if (false) and located in postinstall.js; the live payload is actually in preinstall.js with no guard. This misdirection is itself evidence of deliberate supply-chain attack intent. Any machine running npm install request-logger-canary hands a root-of-user interactive shell to the operator of 52.74.242.200.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002731",
            "import_time": "2026-05-15T07:37:18.417685682Z",
            "sha256": "cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:32Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/request-logger-canary/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / request-logger-canary

Package

Name: request-logger-canary; View open source insights on deps.dev
Purl: pkg:npm/request-logger-canary

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "preinstall.js",
            "sha256": "17268959e805d34e252d226171a791ebce45546db77a0803108e7744d6a7f843",
            "tlsh": "20e0d8dc0bf5a238b6f60cf0e9b055372623c2103343e2e5859d48a156c39ca4e23ef2"
        },
        {
            "path": "README.md",
            "sha256": "170a50fd96bdda7a4338c3340844a5d2fae917eaea34d1579972910303cba251",
            "tlsh": "463126e5d80153a7395682bdd093d058e9e960348b20a879c9f58078a12739ec21fd77"
        }
    ],
    "package_integrity": [
        {
            "filename": "request-logger-canary-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-qkTCj7DAIjUmY+Deb4ohssmG4BWuzSYMCJHA0XWmdcnugvwI8eP/t+1XH+BhbdpyPzUlAqQ5jVVrcJHeaDyPVw==",
                "sha1": "4b76c8104a294ac2c7cac6787163795ed52a7885"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-logger-canary/MAL-2026-3771.json"