MAL-2026-4626

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/omnius/MAL-2026-4626.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4626

Withdrawn

2026-05-26T18:47:47Z

Published

2026-05-21T00:38:55Z

Modified

2026-05-27T00:32:07.226234709Z

Summary

Malicious code in omnius (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12)

The package's postinstall lifecycle hook launches dist/postinstall-daemon.cjs, which combines childprocess.execSync, os.userInfo(), filesystem probes, and network primitives (require('http'), http.request, GET) consistent with a host-reconnaissance-and-exfiltration daemon. The script repeatedly invokes ping (5+ call sites at lines 184, 298, 465, 693, 741) for host/network discovery, and reads identity (os.userInfo at L160, L395) before sending HTTP requests. package.json declares both preinstall and postinstall hooks and additionally embeds curl invocations (line 142). A sibling Python script (dist/scripts/webscrape.py) contains its own ping/wget/POST chain. The combination of: (a) a daemon installed via lifecycle hooks, (b) execSync-driven system enumeration, (c) outbound HTTP from install-time-reachable code, and (d) multiple curl shell-outs in package.json constitutes installer-side reconnaissance with network exfiltration. Installing this package will execute attacker-controlled probing/exfiltration on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1a72f7f4c87504d318fda887255883803833c2f4ca996467217d759bbc668965",
            "id": "IN-MAL-2026-004346",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T15:30:31Z",
            "versions": [
                "1.0.153"
            ],
            "import_time": "2026-05-26T05:52:25.201973024Z"
        },
        {
            "sha256": "b3cc519a95afb055f43032cd7b0e9552fac64c552404ce9bc1a1530399730fd1",
            "id": "IN-MAL-2026-004357",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T16:10:15Z",
            "versions": [
                "1.0.155"
            ],
            "import_time": "2026-05-26T05:52:26.553669486Z"
        },
        {
            "sha256": "c38d8aee6b2de2fb5ec8ee9cf3e1aab47b8be658d4e555c01a9266face8f23ba",
            "import_time": "2026-05-26T05:52:15.442917667Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T21:21:42Z",
            "versions": [
                "1.0.147"
            ],
            "id": "IN-MAL-2026-004261"
        },
        {
            "sha256": "dc0cf5809bf2c7b1f2840592209c44e1e7d8933913d00d2861ce400802b755aa",
            "import_time": "2026-05-26T05:51:03.715533986Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:38:55Z",
            "versions": [
                "1.0.136"
            ],
            "id": "IN-MAL-2026-003660"
        },
        {
            "sha256": "e99944d68b58a61e9d867d2196d24769ec1946b7c8d609ca1c9307f4d2243149",
            "id": "IN-MAL-2026-004248",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T19:31:42Z",
            "versions": [
                "1.0.145"
            ],
            "import_time": "2026-05-26T05:52:13.939893014Z"
        },
        {
            "sha256": "2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12",
            "id": "IN-MAL-2026-004264",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T22:03:46Z",
            "versions": [
                "1.0.148"
            ],
            "import_time": "2026-05-26T05:52:15.790515879Z"
        },
        {
            "sha256": "6a5b974a484b7443740543dc531dcaad2348d3edadf40ae977fbf869eed3b475",
            "id": "IN-MAL-2026-003760",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:39:39Z",
            "versions": [
                "1.0.140"
            ],
            "import_time": "2026-05-26T05:51:15.707780856Z"
        },
        {
            "sha256": "794e49a48f66ee210825a7ced539a54e843cec5c34039b4cc3c0075d14647850",
            "id": "IN-MAL-2026-003764",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:46:40Z",
            "versions": [
                "1.0.141"
            ],
            "import_time": "2026-05-26T05:51:16.220928412Z"
        },
        {
            "sha256": "93a7f2c08cabc3d13867b7fce6973109bf98f42ecce2e9343d08b7c7caf5a066",
            "id": "IN-MAL-2026-004458",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T03:50:41Z",
            "versions": [
                "1.0.157"
            ],
            "import_time": "2026-05-26T05:52:38.354929658Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / omnius

Package

Name: omnius; View open source insights on deps.dev
Purl: pkg:npm/omnius

Affected ranges

Affected versions

1.*

1.0.136

1.0.140

1.0.141

1.0.145

1.0.147

1.0.148

1.0.153

1.0.155

1.0.157

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/omnius/MAL-2026-4626.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "37cb864926ffabc825b48bd82b22e6308f07f9cde7e21944c27359fe025eb395",
            "tlsh": "a9d2d675b6ea21343963e2bd4b5f50097a69f1133514de1078bc72586fcc82e02b6efa",
            "path": "dist/postinstall-daemon.cjs"
        },
        {
            "sha256": "f9be42693e75326307bb74e99f2aad68149890fae8042d22c7d25e7ea92df605",
            "tlsh": "d643a435a916646af363c02e592781023725b85336866630b9cc77b46fdc87ac2f67fc",
            "path": "dist/scripts/web_scrape.py"
        },
        {
            "tlsh": "70634b63be3a697a17dbc18332191075cf39909a55584814b0dccaed9b8dafc933f392",
            "sha256": "3b2726737a53d8457287395a10e99e4dab399c887296c309da6c77edb33d4921",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "omnius-1.0.153.tgz",
            "hashes": {
                "sha1": "3e158ce8da88df9ed3be134a5821ccb3eb1e064f",
                "sha512_sri": "sha512-QvB66UWpruNEW2CUuLNCm0d5dGUSRzjubdyXYpTakTqH/0qPY+91SwXVKf+T+7fsWjC2quI202V+KQy24zjKhA=="
            }
        }
    ]
}