MAL-2026-4577

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/harness-skil/MAL-2026-4577.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4577

Published

2026-05-24T06:05:18Z

Modified

2026-05-26T06:02:36.196621713Z

Summary

Malicious code in harness-skil (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6)

The package's install.js (wired to an npm install lifecycle hook) requires child_process, fs, and https, then issues an https.get to a raw.githubusercontent.com URL and writes/executes the fetched content with environment variables passed through. Fetching code from a personal/raw GitHub user content URL — a mutable, non-publisher, non-version-pinned source — and running it as part of npm install is the canonical install-time dropper shape: any installer of harness-skil executes whatever bytes currently live at that URL, with no integrity check or pinning. The package's name does not indicate a legitimate need to download external code at install time, and the destination is not a publisher-owned or known runtime CDN.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "45ebe57d4bef636497d4588feca853441fd83299640ef1e1d772eca62121d396",
            "modified_time": "2026-05-24T06:05:19Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-004468",
            "import_time": "2026-05-26T05:52:39.528723343Z"
        },
        {
            "sha256": "e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T06:05:18Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-004467",
            "import_time": "2026-05-26T05:52:39.41309522Z"
        }
    ]
}

References

https://www.npmjs.com/package/harness-skil/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / harness-skil

Package

Name: harness-skil; View open source insights on deps.dev
Purl: pkg:npm/harness-skil

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/harness-skil/MAL-2026-4577.json"

indicators

{
    "domains": [
        "raw.githubusercontent.com"
    ],
    "package_integrity": [
        {
            "filename": "harness-skil-1.0.0.tgz",
            "hashes": {
                "sha1": "de0854b1029861dcf104cd6eb5c4f9686f84dc5e",
                "sha512_sri": "sha512-Cg5wFqIEMRpOA4hwb6ISxts+uzuXfPTvTwPHadIaJQWIDdVkZIimCwRCrNpXvSfq/u0bVTOkoCD7Wi7wz37rdw=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "123a9e76ca57e3f3ebe58048fb20fe1e42c409e70842c064eca56296b44cfdf8",
            "tlsh": "7d51216e48f786305773a4882b5b401b746699032259db58b76c472affc1a38c2069ff",
            "path": "install.js"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]