MAL-2026-4453
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tarojs/cli/MAL-2026-4453.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4453
- Withdrawn
- 2026-05-26T20:46:07Z
- Published
- 2026-05-19T19:06:44Z
- Modified
- 2026-05-27T00:31:51.724931342Z
- Summary
- Malicious code in @tarojs/cli (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2)
On
npm install, the package's postinstall script performs a reachability GET to https://taro.jd.com/ and, on success, invokes the package's ownbin/taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com. Internally this shells out tonpm install @jdtaro/plugin-build-report-performance@latest --registry=http://registry.m.jd.comin the user's ~/.taro global-config directory. Two installer-harm properties hold simultaneously: (1) the dependency is unpinned (@latest) so the bytes resolved at install time are not under the publisher's control, and (2) the registry is reached over plain HTTP (http://registry.m.jd.com), so any on-path network attacker can substitute an arbitrary tarball whose own lifecycle scripts will execute as the installing user. The plugin is then persistently registered in the user's global Taro config (TARO_GLOBAL_CONFIG_DIR), so it is auto-loaded by every subsequenttaro buildinvocation across all projects, with no prompt or opt-in. The name and registry suggest a JD build-telemetry plugin, but the installer-harm concern is independent of intent: unpinned + plain-HTTP fetch-and-execute at lifecycle time is a textbook MITM-to-RCE path. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-003253", "versions": [ "4.1.12-beta.47" ], "sha256": "260bc742bd36d018e4bdf8b22fceacc1c4c477d92bfaccc5ba6d803dd6d709af", "source": "amazon-inspector", "modified_time": "2026-05-19T19:06:44Z", "import_time": "2026-05-26T05:50:17.924378731Z" }, { "id": "IN-MAL-2026-004596", "versions": [ "4.2.1-beta.0" ], "sha256": "59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2", "source": "amazon-inspector", "modified_time": "2026-05-25T08:07:04Z", "import_time": "2026-05-26T05:52:54.748568895Z" }, { "id": "IN-MAL-2026-004597", "import_time": "2026-05-26T05:52:54.861615479Z", "sha256": "ef2e4036838b6afaac5d53f4f07ceede905e6fad74d373282ff75d24c8fe45fe", "source": "amazon-inspector", "modified_time": "2026-05-25T08:07:05Z", "versions": [ "4.2.1-beta.0" ] }, { "id": "IN-MAL-2026-003254", "versions": [ "4.1.12-beta.47" ], "sha256": "f84d67df2a93a52d8c85789b16ba572809d61dd085f25ee2ef48cf3fc8a231e1", "source": "amazon-inspector", "modified_time": "2026-05-19T19:06:45Z", "import_time": "2026-05-26T05:50:18.020652231Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @tarojs/cli
Package
- Name
- @tarojs/cli
- View open source insights on deps.dev
- Purl
- pkg:npm/%40tarojs%2Fcli
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "e0dee9027d8ff26268c67077916dbf4bab6505f1c152d018ecec119938aa83b8",
"tlsh": "37f09e3b59f440232363427ce83f614b321b425220688e68f5ed27510bc33501ad32e4"
}
],
"package_integrity": [
{
"filename": "cli-4.1.12-beta.47.tgz",
"hashes": {
"sha512_sri": "sha512-cXV7bt+zSO84F6gvTWd1WKaz9ajXR0Y5g/RV1dulMXMOoRpqxtEDA27+O+YxlsdIE8QzD6/QAaLZN4IUKTOitQ==",
"sha1": "ce4e26ca070bd76571c4b6aff3496a1cf37c2aa5"
}
}
],
"domains": [
"34.1.16.104.in-addr.arpa",
"taro.jd.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tarojs/cli/MAL-2026-4453.json"