MAL-2026-4572

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/get-package-lint/MAL-2026-4572.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4572
Published
2026-05-22T07:15:19Z
Modified
2026-05-26T06:02:34.571508928Z
Summary
Malicious code in get-package-lint (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (383f22ab2e1e8bbb44a44fa3828710f476947837d0b38aa9266eafcbf9959261)

Package name typosquats the popular get-package-type and reuses its README/exports verbatim, but adds "postinstall": "node utils.cjs" in package.json. utils.cjs is a 263 KB obfuscator.io-protected blob (string-array rotation with anti-debug debugger loops, RegExp toString fingerprint, and Function('return this') sandbox checks) that on npm install: (1) decodes a hardcoded base64+XOR-obfuscated URL and bearer token (HFTOKEN), (2) HTTPS-GETs a platform-specific binary (linux-x64 / darwin-arm64 / win32-x64 selected via DOWNLOADMAP), (3) writes it under the user's local data directory, chmod 0755 on POSIX, and spawns it detached, (4) installs OS-level persistence: on Windows via reg add HKCU\...\CurrentVersion\Run, on macOS via a LaunchAgent plist under ~/Library/LaunchAgents, on Linux via a systemd user unit at ~/.config/systemd/user/<unit>.service followed by systemctl --user daemon-reload && enable && start. The script also self-detaches by re-spawning itself with a child argv via {detached:true, stdio:'ignore'} and calling process.exit(0) so npm sees success while the dropper continues asynchronously. The fetched bytes are opaque, unverified (no hash/signature), and the source domain is not the package's publisher. This is an unambiguous binary-runner-dropper plus backdoor persistence triggered on every install.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "383f22ab2e1e8bbb44a44fa3828710f476947837d0b38aa9266eafcbf9959261",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T07:15:19Z",
            "import_time": "2026-05-26T05:52:03.258471076Z",
            "versions": [
                "0.1.0"
            ],
            "id": "IN-MAL-2026-004161"
        }
    ]
}
References
Credits

Affected packages

npm / get-package-lint

Package

Name
get-package-lint
View open source insights on deps.dev
Purl
pkg:npm/get-package-lint

Affected ranges

Affected versions

0.*
0.1.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/get-package-lint/MAL-2026-4572.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "get-package-lint-0.1.0.tgz",
            "hashes": {
                "sha1": "3f8237e4a742c5f473f3eb78e25f082e89c82506",
                "sha512_sri": "sha512-k+wYqmq4noyDPm7RwINxe4DQOJDA/MZfOqgD4JLatullKd7/z6FCbcNHfqD20d+n3HW+iEDBSagcsOv/cE+csg=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "744cbafafa0d8cb8aee9db2d520943ee9409a8c517f75a5b4f315a632b7e8061",
            "tlsh": "ec01d313da51bff323c52b9d792cc0d3a6bd004a7448d4cc4de36260c1d92702b1a18a",
            "path": "package.json"
        },
        {
            "sha256": "b42ccbc86e06451f2aae3b865765280e6d3ec7611b5d4e81c0c06d39f3889623",
            "tlsh": "e544b58477c67c8212075777731ab2e5e93add94b08c449df540bc68f0ada2bfae0a71",
            "path": "utils.cjs"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]