MAL-2026-4481

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arc-diag-util/MAL-2026-4481.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4481

Published

2026-05-20T07:23:00Z

Modified

2026-05-26T06:02:09.153533446Z

Summary

Malicious code in arc-diag-util (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c)

On npm install, the package's postinstall hook runs id to capture the installer's uid/gid/group identity and opens a raw TCP socket to host.docker.internal:9999, writing the command output to that listener. The package's declared main (index.js) is a two-line stub exporting {} — there is no library functionality, the postinstall beacon is the package's sole purpose. host.docker.internal resolves to the Docker host from inside a container, so the pattern is specifically designed to escape sandboxed CI/build containers and report installer identity to a listener on the build host. The hollow library body combined with a generic 'diagnostic utility' name is consistent with a dependency-confusion attempt against an internal package name.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T07:23:00Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c",
            "id": "IN-MAL-2026-003484",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:43.745478107Z"
        }
    ]
}

References

https://www.npmjs.com/package/arc-diag-util/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / arc-diag-util

Package

Name: arc-diag-util; View open source insights on deps.dev
Purl: pkg:npm/arc-diag-util

Affected ranges

Affected versions

1.*

1.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "fae794456fd51cc7b1ae4ff86f7107ababd8a283adf2a035901e7fd58fc551f8",
            "tlsh": "78f0dc608b20f63f1ac143511834c861252348022204b9e4670b426dc2de3f70dbb37f",
            "path": "package.json"
        },
        {
            "sha256": "1ee1f0e03fd18f43210cdd6cec24bb9d6f08fdd4fd92d09d966d4afde18208b4",
            "tlsh": "a9900401d33071454757c317f54444331cd541d1111450d0d14447fd4407fd040d4541",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-BPBm+oYI3u3wCz6N5Hj7wluY9nUP8VljEHqT+UOjb4MgvcQMHdddpCWU9yFci4AkFT6/ho+nI5jtgZtJYgdG4A==",
                "sha1": "291c17e49d8f8d676f6d2005983665a6a400f766"
            },
            "filename": "arc-diag-util-1.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arc-diag-util/MAL-2026-4481.json"