MAL-2026-4580
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-uploader-dev/MAL-2026-4580.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4580
- Published
- 2026-05-21T09:06:31Z
- Modified
- 2026-06-12T20:01:52.825696589Z
- Summary
- Malicious code in http-uploader-dev (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b)
package.json declares
"preinstall": "bun run index.js", which onnpm installinvokes Bun to run index.js. index.js detects the host OS and shells out to launch an unrelated local application —open -a Calculatoron macOS,calc.exeon Windows, andxcalc/gnome-calculator/kcalcon Linux — viaexecSync. This is the canonical proof-of-concept install-time RCE payload and bears no relation to the package's stated 'http uploader' purpose. Two independently suspicious structural traits compound the lifecycle behavior: (1) the preinstall hook routes execution through Bun, an alternate runtime fetched outside the normal Node resolution path, matching the alternate-runtime-dropper pattern; (2) package metadata is placeholder/throwaway (author 'sleep', homepagehttps://git.hfaf.com/urlaa, generic name 'http-uploader-dev'). The PoC nature of the current payload (launching a calculator) does not lower the severity: any installer runningnpm install http-uploader-devexecutes attacker-chosen commands at install time, and a future republish can swap in arbitrary code with no change to the trigger surface. - Database specific
{ "malicious-packages-origins": [ { "sha256": "936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b", "import_time": "2026-05-26T05:51:19.972056137Z", "source": "amazon-inspector", "modified_time": "2026-05-21T09:47:46Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-003797" }, { "sha256": "c5c79f07e872440f7a6cdddf0385c8e88675a0def325a08af63de330f1cd94c3", "id": "IN-MAL-2026-003788", "source": "amazon-inspector", "modified_time": "2026-05-21T09:06:31Z", "versions": [ "1.0.0" ], "import_time": "2026-05-26T05:51:18.977386732Z" }, { "sha256": "dad89f8aa4b11f7ca9548e55a763bff12293a14d3889074f847d4735e1af5126", "import_time": "2026-05-26T05:51:19.731201257Z", "source": "amazon-inspector", "modified_time": "2026-05-21T09:37:37Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-003795" }, { "sha256": "f78bad20b316dad1568a74ff372d2d5e955bd658ccf93bd814e2939c3a0b8216", "import_time": "2026-05-26T05:52:56.064951496Z", "source": "amazon-inspector", "modified_time": "2026-05-25T08:35:42Z", "versions": [ "1.0.5" ], "id": "IN-MAL-2026-004607" }, { "sha256": "a8bb3bd4e143aaf8df6d3d54eedb9f36d7f156c59775eed35a21de8d33b253a3", "import_time": "2026-05-26T05:51:19.284239093Z", "source": "amazon-inspector", "modified_time": "2026-05-21T09:15:41Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-003791" }, { "sha256": "d9818578428bc38b7bd3f5e4546e4d14d0ebe9709b9fea08cd359a3f99e84d46", "id": "IN-MAL-2026-004872", "source": "amazon-inspector", "modified_time": "2026-05-26T08:33:56Z", "versions": [ "1.0.6" ], "import_time": "2026-05-26T09:17:32.39634727Z" }, { "sha256": "577aa4c42e8931b5a638758260beaa8efade008231a95c06a0c0b7829655bb7b", "import_time": "2026-06-12T19:43:55.604416996Z", "source": "amazon-inspector", "modified_time": "2026-06-12T19:06:45Z", "versions": [ "1.0.7" ], "id": "IN-MAL-2026-005990" } ] }- References
-
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.3
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.0
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.2
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.5
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.1
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.6
- https://www.npmjs.com/package/http-uploader-dev/v/1.0.7
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / http-uploader-dev
Package
- Name
- http-uploader-dev
- View open source insights on deps.dev
- Purl
- pkg:npm/http-uploader-dev
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-uploader-dev/MAL-2026-4580.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"tlsh": "b1f084e09afad730aa7518a36e8a11a561a39027240afb9c30898386ab9416402b0cf5",
"sha256": "522164d64f61e40a5602b8090c2e161954c668915725d63acc2752adfe2db81e",
"path": "index.js"
},
{
"tlsh": "c0e0d8b4c8219c732dd04b288929594662a48f3b40453c0a73db108c9ade5b714ff14e",
"sha256": "99a72d6da2467bc9ce3b6be5f8b241558b24d792d264116990a2a3a835594c9b",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "http-uploader-dev-1.0.3.tgz",
"hashes": {
"sha1": "94e48058681c401fba7de9a6545d65df48b718e4",
"sha512_sri": "sha512-AzrPDH2ly7783OGYsCgJcpsULrdvVc36C0mHjfkzcEPhg2zfNPDcSxksfPbI1ZNa0XaqM3nOsHCGBsljGyY3hQ=="
}
}
]
}