MAL-2026-4627

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/onboardconnect-agent/MAL-2026-4627.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4627
Withdrawn
2026-05-26T18:48:19Z
Published
2026-05-22T15:00:53Z
Modified
2026-05-27T00:32:07.231678473Z
Summary
Malicious code in onboardconnect-agent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5)

The package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env, with additional fetch/POST sites further down the same file. dist/server.js contains multiple POST sinks and a ping invocation, while dist/crypto.js and dist/store.js wrap repeated Buffer.from(..., 'base64') decoding routines consistent with obfuscated payload handling. The destination is a personal *.workers.dev subdomain (wpolanco.workers.dev) that is not associated with any documented vendor publisher and is the canonical low-effort exfiltration host shape — anonymous, free, attacker-controlled, and trivially registered. No legitimate purpose for an 'onboard connect agent' to ship environment variables to a personal Cloudflare Worker exists; combined with the base64-decoding helpers in adjacent files this matches the data-exfiltration shape directly.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "30e75809f132f2cac2c85cf0bb18b445a9df490ac709a2d42eab018f430f07af",
            "id": "IN-MAL-2026-004554",
            "modified_time": "2026-05-24T22:46:37Z",
            "versions": [
                "1.1.24"
            ],
            "import_time": "2026-05-26T05:52:49.726131147Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "35813ed05d8b88c8db8caf673571dbe285ceff43c5b93c9a5e85992383844fa5",
            "id": "IN-MAL-2026-004767",
            "modified_time": "2026-05-25T19:11:54Z",
            "versions": [
                "1.1.31"
            ],
            "import_time": "2026-05-26T05:53:14.617708287Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4cda0c95b483c82968d2b75214fd2d06061eb09001d46bd5cac4b8517d34bdeb",
            "id": "IN-MAL-2026-004551",
            "import_time": "2026-05-26T05:52:49.391332586Z",
            "modified_time": "2026-05-24T20:51:34Z",
            "versions": [
                "1.1.22"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "5b9677346fc5c8f57ad8de388659543ce2ed5863428723484cd7dbfdc90f28b5",
            "id": "IN-MAL-2026-004287",
            "import_time": "2026-05-26T05:52:18.534440351Z",
            "modified_time": "2026-05-23T04:44:38Z",
            "versions": [
                "1.1.15"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5",
            "id": "IN-MAL-2026-004288",
            "import_time": "2026-05-26T05:52:18.664704889Z",
            "modified_time": "2026-05-23T04:49:48Z",
            "versions": [
                "1.1.16"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.21"
            ],
            "id": "IN-MAL-2026-004532",
            "import_time": "2026-05-26T05:52:47.341029206Z",
            "modified_time": "2026-05-24T19:11:42Z",
            "sha256": "b02ef4a70a4d4322b88f002cd5151a3ad6a9036379c82d7febff362daf7dee97",
            "source": "amazon-inspector"
        },
        {
            "sha256": "c609b6742ce86266143c09e5e33fdc3cc3d4a65891fc2e7a73eb976d2a25b4d7",
            "id": "IN-MAL-2026-004221",
            "import_time": "2026-05-26T05:52:10.93673692Z",
            "versions": [
                "1.1.5"
            ],
            "modified_time": "2026-05-22T15:00:53Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.32"
            ],
            "id": "IN-MAL-2026-004768",
            "import_time": "2026-05-26T05:53:14.715082467Z",
            "modified_time": "2026-05-25T19:19:51Z",
            "sha256": "f0c350755d37ffa3c7c04f7dcfaa31c2c2b3fc201ec3f5ac23aa96b5568a176f",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.25"
            ],
            "id": "IN-MAL-2026-004557",
            "import_time": "2026-05-26T05:52:50.11683154Z",
            "modified_time": "2026-05-24T23:41:42Z",
            "sha256": "f1362c8a1baa1868bc39797b170ecd8018b1d5181b599cec13f52620836e13d0",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / onboardconnect-agent

Package

Name
onboardconnect-agent
View open source insights on deps.dev
Purl
pkg:npm/onboardconnect-agent

Affected ranges

Affected versions

1.*
1.1.5
1.1.15
1.1.16
1.1.21
1.1.22
1.1.24
1.1.25
1.1.31
1.1.32

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "onboardconnect-agent-1.1.24.tgz",
            "hashes": {
                "sha512_sri": "sha512-srwC0hn9FpRP96iFnneT+9H3goMA5/xqcoAePTk/oWMrMlP7jXu4lJqYnoUsehEyauqKOwaCJtJg0dN/VovCWw==",
                "sha1": "57fdbdff35f154455cff19b645e8725e9d139f97"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "10f04c987c7295e052b2d8d21db7e64a63d0161b7401c7ada3289244cf59914d9470ec",
            "sha256": "7bbbd06ec3c0412786ad6f3ff610eea18ad8e9bc597a37b366a29676ceefcb93",
            "path": "dist/crypto.js"
        },
        {
            "sha256": "9e933b378b7a0fc924056c6f21d42466c960a0911765309af3c6ff42cae2f706",
            "tlsh": "0a82734a39f324368773a36d8f1b95053226c81b3909de59bf8c93549f4946c86f2bec",
            "path": "dist/server.js"
        },
        {
            "sha256": "ee16c358f465579cfc150f544e350209e36a90cfedc8d8bc134f76c54289108f",
            "tlsh": "73f1b85444fb0a70193729a56f1700022b72e7072644fe9877dcc3a49fc5a1ada7b7ed",
            "path": "dist/setup.js"
        },
        {
            "sha256": "dab9df0e3c1e74e5d515ac01d82a3b8fbb3ceb77fd3171990397e12a1ce75c62",
            "tlsh": "8ce1631709fb5e5342a3efa6c69b91016d24a24b3604cd88f56cf314ef1946898b36e8",
            "path": "dist/store.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/onboardconnect-agent/MAL-2026-4627.json"