MAL-2026-4606

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/martinez-polygon-clipping-tony/MAL-2026-4606.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4606

Published

2026-05-19T23:08:55Z

Modified

2026-05-26T06:02:42.117766039Z

Summary

Malicious code in martinez-polygon-clipping-tony (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dabf04b2f99e28eb10740bd7459bf64513fac98a064b60071b1e7aabf8674dd0)

Package name impersonates the legitimate martinez-polygon-clipping library: README, badges, and API surface are copied verbatim, while repository points at an unrelated user (daltonchristiano060-gif/dalton-martinez). On npm install, scripts/postinstall.js fetches a platform/arch-specific binary from a hardcoded RFC1918 endpoint over plain HTTP (http://10.10.6.129:8787/droppers/<os>-<arch> or /droppers/windows.exe), writes it to os.tmpdir() or c:/users/public/windows.exe, chmods 0755, and spawns it detached with stdio ignored. There is no integrity verification, the URL is mutable, and a polygon-clipping library has no legitimate need for a native binary. Before fetching, the script enumerates environment variables and Linux DMI strings to detect GitHub Actions, GitLab CI, CircleCI, Buildkite, Travis, Vercel, Netlify, Kubernetes, AWS Lambda/ECS/Batch/EC2, Azure, and GCP, returning early in those cases — selective execution that targets developer workstations and hides from automated scanners. The combination of typosquat + install-time arbitrary-binary dropper + CI/cloud evasion is unambiguously a targeted attack on developer machines.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "dabf04b2f99e28eb10740bd7459bf64513fac98a064b60071b1e7aabf8674dd0",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:08:55Z",
            "id": "IN-MAL-2026-003292",
            "import_time": "2026-05-26T05:50:21.835124573Z",
            "versions": [
                "0.9.5"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/martinez-polygon-clipping-tony/v/0.9.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / martinez-polygon-clipping-tony

Package

Name: martinez-polygon-clipping-tony; View open source insights on deps.dev
Purl: pkg:npm/martinez-polygon-clipping-tony

Affected ranges

Affected versions

0.*

0.9.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/martinez-polygon-clipping-tony/MAL-2026-4606.json"

indicators

{
    "package_integrity": [
        {
            "filename": "martinez-polygon-clipping-tony-0.9.5.tgz",
            "hashes": {
                "sha1": "9a77e286eac2a7721ade432a96b8845e54bac83b",
                "sha512_sri": "sha512-OMU4bjScO7Huc9OPd2cJX8UUA07SNR8uZJb2mGij7lHv7Vryrn0gFBaurpplU+tIOSZQshmIWhrGKW3uoApOkw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "scripts/postinstall.js",
            "tlsh": "dfc153d475f7733503aa65f4034b9516fb9e6803271ac960be9e83907f90b24c3724e9",
            "sha256": "0a503384c081400bb2e49329c1b51f7e0569ddf8a72e0a3c18533708ea253e92"
        },
        {
            "path": "package.json",
            "tlsh": "bb419920c8ba9cb306c555d56cb51266b524480b8f44bd0bb3d3035c8f8f1af62ba63e",
            "sha256": "d83cc71d8edbb76e5caf5cb59de894363f8c0ba98bc52733c383d41481d8684b"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]