MAL-2026-3772

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rimraf-utils/MAL-2026-3772.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3772

Published

2026-05-14T19:25:01Z

Modified

2026-05-15T07:50:45.083167Z

Summary

Malicious code in rimraf-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4)

rimraf-utils@1.0.5 impersonates the widely-installed rimraf package (index.js is a dummy stub that internally identifies itself as 'lodash-js — Just a dummy module. The real payload is in postinstall.js'). On npm install, scripts.postinstall runs postinstall.js, which harvests installer-side secrets and ships them to a hardcoded bare-IP C2 over plaintext HTTP at http://149.28.127.35:8888 (overridable via process.env.C2_URL).

Specific behavior in postinstall.js: - Reads ~/.npmrc (npm auth tokens), ~/.env (API keys, DB URLs, cloud credentials, payment keys, EVM private keys, webhooks), and ~/.git-credentials. - Collects os.hostname() and os.userInfo() for host identification. - Enumerates 71 hardcoded Chrome/Brave/Edge/Firefox crypto-wallet extension IDs (MetaMask, Phantom, Coinbase, Trust, Exodus, Ledger Live, Trezor, Solflare, etc.) under the browsers' profile directories and reads each wallet's LevelDB .log files, regex-extracting vault/seed/mnemonic/privateKey/encrypted/password fields. - Recursively walks ~/Documents, ~/Desktop, ~/Downloads, ~/OneDrive, ~/Dropbox, ~/Google Drive, and backup/keys/wallet/crypto subtrees searching for seed-phrase and private-key patterns. - POSTs the aggregated JSON payload to the C2 via http.request(...).

This package matches multiple unambiguous attack fingerprints simultaneously: hardcoded bare-IP plaintext-HTTP C2 invoked from a lifecycle hook; browser crypto-wallet extension-ID enumeration; seed-phrase/mnemonic home-directory scanner; and installer-secret regex extraction from ~/.npmrc/~/.env/~/.git-credentials. The name is a typosquat of rimraf used as the delivery vector for the payload.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0514899c58dd41152ee9aeb101db1eec4a229ea907aa96f6bf9606b7a75cfe83",
            "id": "IN-MAL-2026-002678",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:01Z",
            "versions": [
                "1.0.4"
            ],
            "import_time": "2026-05-15T07:37:16.014381157Z"
        },
        {
            "sha256": "8947f86d49a41e3f5b03eed92ee6a87e0e6438941606c25cac17c94da8ca9c08",
            "id": "IN-MAL-2026-002679",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:02Z",
            "versions": [
                "2.0.0"
            ],
            "import_time": "2026-05-15T07:37:16.060231882Z"
        },
        {
            "sha256": "a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4",
            "id": "IN-MAL-2026-002698",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:11Z",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-05-15T07:37:17.158478544Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / rimraf-utils

Package

Name: rimraf-utils; View open source insights on deps.dev
Purl: pkg:npm/rimraf-utils

Affected ranges

Affected versions

1.*

1.0.4

1.0.5

2.*

2.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rimraf-utils/MAL-2026-3772.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
            "tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb",
            "path": "postinstall.js"
        },
        {
            "sha256": "98ae1b8d6c3e001a0642d4b45934823f2888c1a2ed6cc4040bc27d136ee114b4",
            "tlsh": "c4d02b208a129d3314c417671a6b420566f14d4b0148bc1c33db015c87aa3b68cff61e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "rimraf-utils-1.0.4.tgz",
            "hashes": {
                "sha1": "51b7f65b122b5c029b1e404869eb0e2e956de9c1",
                "sha512_sri": "sha512-SzdPb1OuAUeUelQ9hHfVSFOEBdt/ekeLLr0grRcWDDP0aKdt1piTKT5t55fc1GDLYf7fbmOGmFQPNvjJ8TTS9A=="
            }
        }
    ]
}