MAL-2026-4447

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@spcsn/taro-cli/MAL-2026-4447.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4447
Withdrawn
2026-05-26T21:14:22Z
Published
2026-05-20T10:51:20Z
Modified
2026-05-27T00:32:05.800718466Z
Summary
Malicious code in @spcsn/taro-cli (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625)

The package's postinstall script probes https://taro.jd.com/ and then invokes its own CLI to run npm install @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com inside the user's global Taro config directory (~/.taro). The plugin is fetched over plain HTTP (no TLS) at the mutable @latest tag from a third-party registry (registry.m.jd.com), not from npmjs.org and not from the package's own publisher infrastructure. After install, the plugin name is appended to the global plugins list (fs.writeJSONSync(configFilePath, { [configKey]: configItem })), so it is auto-loaded on every subsequent taro invocation. This is an unpinned, plain-HTTP, third-party code fetch executed at install time and persisted across future builds — an attacker able to MITM HTTP traffic to registry.m.jd.com (or the registry operator itself, given @latest) can substitute arbitrary code that runs whenever the developer later runs Taro. The behavior is undocumented (README is empty) and silently enrolls every installer into a JD-operated build-reporting plugin without consent.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625",
            "id": "IN-MAL-2026-003517",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T10:51:20Z",
            "versions": [
                "0.1.5"
            ],
            "import_time": "2026-05-26T05:50:46.668395095Z"
        },
        {
            "sha256": "eeb9f5dc682e24a1c04c67e069cb340d1b8d2ef824845cba706d8d85b3f13167",
            "id": "IN-MAL-2026-003518",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T10:51:20Z",
            "versions": [
                "0.1.5"
            ],
            "import_time": "2026-05-26T05:50:46.796387611Z"
        }
    ]
}
References
Credits

Affected packages

npm / @spcsn/taro-cli

Package

Name
@spcsn/taro-cli
View open source insights on deps.dev
Purl
pkg:npm/%40spcsn%2Ftaro-cli

Affected ranges

Affected versions

0.*
0.1.5

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@spcsn/taro-cli/MAL-2026-4447.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "domains": [
        "taro.jd.com",
        "34.6.16.104.in-addr.arpa"
    ],
    "evidence_files": [
        {
            "tlsh": "04f09e3f5ab14123267352b8e97b614b3217829764a8d968f5fd67510fc23401ad31e8",
            "sha256": "b29d7e16632d14cf8ea1277534aaed476a2859fe962b7f278752425cab97d348",
            "path": "postinstall.js"
        },
        {
            "sha256": "4458bd42f8bf2d69f12385a85e01068ce508df371df6e2a4fbc46c23cedd9af2",
            "tlsh": "d0f164662afe593201b3106c872f04413a7e67a7510ce94579fce2845f594ea91f3fec",
            "path": "dist/presets/commands/global-config.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "taro-cli-0.1.5.tgz",
            "hashes": {
                "sha1": "5fdc18831759bbc37ccdb3914cdf3d01b279cd42",
                "sha512_sri": "sha512-zsr1YnGs09jIxr7/AtA5doG/4yzfxq4My8T+Xyws35RSr3Hmsu3Rj5aws3JytM6butpLcGTyNtf9ZJDBp1eO3w=="
            }
        }
    ]
}