MAL-2026-4668

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/share-anything-cli/MAL-2026-4668.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4668
Withdrawn
2026-05-26T18:52:22Z
Published
2026-05-22T13:21:24Z
Modified
2026-05-27T00:32:12.978081574Z
Summary
Malicious code in share-anything-cli (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07)

The package's package.json declares a postinstall lifecycle hook ("postinstall": "node install.js") that runs install.js automatically on npm install. install.js requires child_process and https, gathers host data (process.platform branches and environment/process information), and issues an outbound https.get(...) call. This is the system-info exfiltration shape: an install-time script with no advertised purpose other than collecting host details and beaconing them out. Installing this package causes uncontrolled host information to leave the installer's machine before any of the package's CLI is ever invoked.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-22T13:21:24Z",
            "versions": [
                "0.5.6"
            ],
            "sha256": "290f9dadaf589349dd8a7c641450aca713a6ead63b2ba685c15e4e6a37ab3b07",
            "id": "IN-MAL-2026-004203",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:08.226870168Z"
        },
        {
            "modified_time": "2026-05-22T13:29:57Z",
            "versions": [
                "0.5.6"
            ],
            "sha256": "67271f386de502189d802c6fce3d4e90202cd70015be9f2a94948e29bfbaceb2",
            "id": "IN-MAL-2026-004207",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:08.920555044Z"
        }
    ]
}
References
Credits

Affected packages

npm / share-anything-cli

Package

Affected ranges

Affected versions

0.*
0.5.6

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "5d41420d14f3143642b7f8d6aa8b7417a58780233206dd8cfa6c87496fd7464d2a7add",
            "sha256": "3bdb898377bfcc2fa2df636b5fd61255bdfd41deb114bf0858896f91869fcf16",
            "path": "install.js"
        },
        {
            "tlsh": "cd014950c8309d3329e42db15c6f604993220c0b9d443c0a739b110c4f2f16fb17e9de",
            "sha256": "9bf268e567651f4eb4d4699d2b34d5e2f8e45d1d96373c15b0371891a4eb076e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "58a159c4acfe1e2d7077d505a2ff075414075ae7",
                "sha512_sri": "sha512-OP3nEHGnIxtvrxClgqwznkeyCYxtTSnBiF8APQJIF/O+/EeHm/YCnYTFJZksoi9snE9F6f0izxM5CBiJ5bk1mw=="
            },
            "filename": "share-anything-cli-0.5.6.tgz"
        }
    ],
    "domains": [
        "github.com",
        "release-assets.githubusercontent.com"
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/share-anything-cli/MAL-2026-4668.json"