-= Per source details. Do not edit below this line.=-
The package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env, with additional fetch/POST sites further down the same file. dist/server.js contains multiple POST sinks and a ping invocation, while dist/crypto.js and dist/store.js wrap repeated Buffer.from(..., 'base64') decoding routines consistent with obfuscated payload handling. The destination is a personal *.workers.dev subdomain (wpolanco.workers.dev) that is not associated with any documented vendor publisher and is the canonical low-effort exfiltration host shape — anonymous, free, attacker-controlled, and trivially registered. No legitimate purpose for an 'onboard connect agent' to ship environment variables to a personal Cloudflare Worker exists; combined with the base64-decoding helpers in adjacent files this matches the data-exfiltration shape directly.
{
"malicious-packages-origins": [
{
"sha256": "30e75809f132f2cac2c85cf0bb18b445a9df490ac709a2d42eab018f430f07af",
"id": "IN-MAL-2026-004554",
"modified_time": "2026-05-24T22:46:37Z",
"versions": [
"1.1.24"
],
"import_time": "2026-05-26T05:52:49.726131147Z",
"source": "amazon-inspector"
},
{
"sha256": "35813ed05d8b88c8db8caf673571dbe285ceff43c5b93c9a5e85992383844fa5",
"id": "IN-MAL-2026-004767",
"modified_time": "2026-05-25T19:11:54Z",
"versions": [
"1.1.31"
],
"import_time": "2026-05-26T05:53:14.617708287Z",
"source": "amazon-inspector"
},
{
"sha256": "4cda0c95b483c82968d2b75214fd2d06061eb09001d46bd5cac4b8517d34bdeb",
"id": "IN-MAL-2026-004551",
"import_time": "2026-05-26T05:52:49.391332586Z",
"modified_time": "2026-05-24T20:51:34Z",
"versions": [
"1.1.22"
],
"source": "amazon-inspector"
},
{
"sha256": "5b9677346fc5c8f57ad8de388659543ce2ed5863428723484cd7dbfdc90f28b5",
"id": "IN-MAL-2026-004287",
"import_time": "2026-05-26T05:52:18.534440351Z",
"modified_time": "2026-05-23T04:44:38Z",
"versions": [
"1.1.15"
],
"source": "amazon-inspector"
},
{
"sha256": "9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5",
"id": "IN-MAL-2026-004288",
"import_time": "2026-05-26T05:52:18.664704889Z",
"modified_time": "2026-05-23T04:49:48Z",
"versions": [
"1.1.16"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.1.21"
],
"id": "IN-MAL-2026-004532",
"import_time": "2026-05-26T05:52:47.341029206Z",
"modified_time": "2026-05-24T19:11:42Z",
"sha256": "b02ef4a70a4d4322b88f002cd5151a3ad6a9036379c82d7febff362daf7dee97",
"source": "amazon-inspector"
},
{
"sha256": "c609b6742ce86266143c09e5e33fdc3cc3d4a65891fc2e7a73eb976d2a25b4d7",
"id": "IN-MAL-2026-004221",
"import_time": "2026-05-26T05:52:10.93673692Z",
"versions": [
"1.1.5"
],
"modified_time": "2026-05-22T15:00:53Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.1.32"
],
"id": "IN-MAL-2026-004768",
"import_time": "2026-05-26T05:53:14.715082467Z",
"modified_time": "2026-05-25T19:19:51Z",
"sha256": "f0c350755d37ffa3c7c04f7dcfaa31c2c2b3fc201ec3f5ac23aa96b5568a176f",
"source": "amazon-inspector"
},
{
"versions": [
"1.1.25"
],
"id": "IN-MAL-2026-004557",
"import_time": "2026-05-26T05:52:50.11683154Z",
"modified_time": "2026-05-24T23:41:42Z",
"sha256": "f1362c8a1baa1868bc39797b170ecd8018b1d5181b599cec13f52620836e13d0",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "onboardconnect-agent-1.1.24.tgz",
"hashes": {
"sha512_sri": "sha512-srwC0hn9FpRP96iFnneT+9H3goMA5/xqcoAePTk/oWMrMlP7jXu4lJqYnoUsehEyauqKOwaCJtJg0dN/VovCWw==",
"sha1": "57fdbdff35f154455cff19b645e8725e9d139f97"
}
}
],
"evidence_files": [
{
"tlsh": "10f04c987c7295e052b2d8d21db7e64a63d0161b7401c7ada3289244cf59914d9470ec",
"sha256": "7bbbd06ec3c0412786ad6f3ff610eea18ad8e9bc597a37b366a29676ceefcb93",
"path": "dist/crypto.js"
},
{
"sha256": "9e933b378b7a0fc924056c6f21d42466c960a0911765309af3c6ff42cae2f706",
"tlsh": "0a82734a39f324368773a36d8f1b95053226c81b3909de59bf8c93549f4946c86f2bec",
"path": "dist/server.js"
},
{
"sha256": "ee16c358f465579cfc150f544e350209e36a90cfedc8d8bc134f76c54289108f",
"tlsh": "73f1b85444fb0a70193729a56f1700022b72e7072644fe9877dcc3a49fc5a1ada7b7ed",
"path": "dist/setup.js"
},
{
"sha256": "dab9df0e3c1e74e5d515ac01d82a3b8fbb3ceb77fd3171990397e12a1ce75c62",
"tlsh": "8ce1631709fb5e5342a3efa6c69b91016d24a24b3604cd88f56cf314ef1946898b36e8",
"path": "dist/store.js"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/onboardconnect-agent/MAL-2026-4627.json"