MAL-2026-4567

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/freertc/MAL-2026-4567.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4567

Published

2026-05-24T02:10:29Z

Modified

2026-05-26T06:02:34.347839052Z

Summary

Malicious code in freertc (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1fb3d1337fc97d6eaccde325dc5f539a28af051f548c31f1b97a8752b8f51878)

On install, scripts/postinstall-message.mjs reads the consumer project's package.json via process.env.INIT_CWD, and if freertc appears in dependencies/devDependencies with any value other than 'latest', it overwrites the entry to 'latest', writes the modified package.json back to disk, and invokes spawnSync('npm', ['install'], { cwd: projectRoot }). This silently mutates the installer's committed manifest (and lockfile, via the recursive npm install) without consent, converting any pinned version constraint into the mutable 'latest' tag. The effect is that every subsequent install on the consumer's machine — and on every collaborator's machine once the modified package.json is committed — will automatically pull whatever the newest published freertc release happens to be, including any future compromised release. This removes version pinning, the consumer's primary defense against supply-chain attacks on this package, as a direct consequence of installing it. The postinstall hook also performs an outbound fetch to registry.npmjs.org to gather version info as part of the same flow. Independent of the version-rewrite behavior, the package contains additional outbound network calls in bin/freertc.mjs and a ping/network-id pattern in scripts/non-cloudflare-server.mjs that warrant scrutiny but are reachable only via explicit CLI/server invocation, not at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004446",
            "import_time": "2026-05-26T05:52:37.024010652Z",
            "sha256": "14f60508e71ccdcc4e4ee8520b255f40c5c14c125e877dc42cbafd756604e18b",
            "versions": [
                "0.1.22"
            ],
            "modified_time": "2026-05-24T02:21:25Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004455",
            "import_time": "2026-05-26T05:52:38.049361621Z",
            "sha256": "aef2425fbb38462625b0b935a4b92981233608a339bbc970292ba25aa55706f5",
            "modified_time": "2026-05-24T03:00:47Z",
            "versions": [
                "0.1.32"
            ]
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004454",
            "import_time": "2026-05-26T05:52:37.910222124Z",
            "sha256": "e12f4a6e2a70bb62bbe254bb0fbd149d5683f9a3584d6da58bc2732a76cad12c",
            "versions": [
                "0.1.33"
            ],
            "modified_time": "2026-05-24T03:00:42Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004450",
            "import_time": "2026-05-26T05:52:37.458437676Z",
            "sha256": "1fb3d1337fc97d6eaccde325dc5f539a28af051f548c31f1b97a8752b8f51878",
            "versions": [
                "0.1.28"
            ],
            "modified_time": "2026-05-24T02:40:39Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004447",
            "import_time": "2026-05-26T05:52:37.13320799Z",
            "sha256": "239215d3d45027d51400df45757c08811434787c8cd0d16300c04bbe329e86b8",
            "versions": [
                "0.1.23"
            ],
            "modified_time": "2026-05-24T02:26:39Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004429",
            "import_time": "2026-05-26T05:52:35.069603762Z",
            "sha256": "44343514707df6ce806b9a61f60a0765d8ec68bbbfed1b8ba11bd505dc4811ec",
            "modified_time": "2026-05-24T02:10:29Z",
            "versions": [
                "0.1.20"
            ]
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004451",
            "import_time": "2026-05-26T05:52:37.553675347Z",
            "sha256": "89be6086d0dbe790b6deb2e6e2b974858a75dfe30a0113f872014915fb428e63",
            "versions": [
                "0.1.31"
            ],
            "modified_time": "2026-05-24T02:45:53Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004430",
            "import_time": "2026-05-26T05:52:35.232866656Z",
            "sha256": "aac02ee7f9fa879e94877b0ddb6915d85010a5ad3aadacd3042d80d332c60c58",
            "modified_time": "2026-05-24T02:10:33Z",
            "versions": [
                "0.1.21"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / freertc

Package

Name: freertc; View open source insights on deps.dev
Purl: pkg:npm/freertc

Affected ranges

Affected versions

0.*

0.1.20

0.1.21

0.1.22

0.1.23

0.1.28

0.1.31

0.1.32

0.1.33

Database specific

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "472c60bd00023eb97a3744e028201413b5b8c938",
                "sha512_sri": "sha512-3U/VAVWJjDrfz1WGoeBehxzaDSd2K4wsvoTmfhFyjZTOSi7EatKQouJcC7z/fZMszsrz+IYPaoBfrxL9zGoIIQ=="
            },
            "filename": "freertc-0.1.22.tgz"
        }
    ],
    "evidence_files": [
        {
            "tlsh": "4c81868859f665309da017dd515fa4213736d901374de8f0f2ed51047fc7768829ba2f",
            "sha256": "4366b6d0b1e8870ba1f5c4c0a1b89fd87cf99cbbe02a8cd2ff1faba4ed8880d3",
            "path": "scripts/postinstall-message.mjs"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/freertc/MAL-2026-4567.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]