-= Per source details. Do not edit below this line.=-
dist/index.js imports child_process and runs whoami (observed at multiple call sites), then POSTs the result to a hardcoded remote URL https://workrally.qq.com. This is the classic host-identity exfiltration shape: gather installer-side identity via whoami and ship it to an attacker-controlled destination. The destination is a literal in the bundle (not a default parameter or user-configurable endpoint), and the package's stated purpose does not justify reporting host identity off-machine. Installing or loading this package leaks the installer's username/host to the operator of workrally.qq.com.
{
"malicious-packages-origins": [
{
"versions": [
"2.4.0"
],
"sha256": "502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51",
"source": "amazon-inspector",
"modified_time": "2026-05-19T19:00:32Z",
"id": "IN-MAL-2026-003251",
"import_time": "2026-05-26T05:50:17.723507222Z"
}
]
}{
"package_integrity": [
{
"filename": "workrally-2.4.0.tgz",
"hashes": {
"sha512_sri": "sha512-aukch3+jLfW+9VLcx1UJ8It+yt0g9RCssEyXViDbelP6nOD9T7J9iG0f3jinpOo1hc19H9BPpI4vnCzhuaBnxg==",
"sha1": "d35858f760aa6574c80d4d67f077236a07e1fee0"
}
}
],
"evidence_files": [
{
"sha256": "a8ef6846a353869412db0b2e84699b0bd5c9c8a80ca147b249a612993409ae7b",
"path": "dist/index.js",
"tlsh": "5d83e86caba5b92657ebb0c1bd040a0adab25f5c4142dc3be1f8ed8b7350456c593b38"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/workrally/MAL-2026-4732.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]