MAL-2026-4732

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/workrally/MAL-2026-4732.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4732
Withdrawn
2026-05-26T18:49:12Z
Published
2026-05-19T19:00:32Z
Modified
2026-05-27T00:32:10.127563578Z
Summary
Malicious code in workrally (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51)

dist/index.js imports child_process and runs whoami (observed at multiple call sites), then POSTs the result to a hardcoded remote URL https://workrally.qq.com. This is the classic host-identity exfiltration shape: gather installer-side identity via whoami and ship it to an attacker-controlled destination. The destination is a literal in the bundle (not a default parameter or user-configurable endpoint), and the package's stated purpose does not justify reporting host identity off-machine. Installing or loading this package leaks the installer's username/host to the operator of workrally.qq.com.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.4.0"
            ],
            "sha256": "502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T19:00:32Z",
            "id": "IN-MAL-2026-003251",
            "import_time": "2026-05-26T05:50:17.723507222Z"
        }
    ]
}
References
Credits

Affected packages

npm / workrally

Package

Affected ranges

Affected versions

2.*
2.4.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "workrally-2.4.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-aukch3+jLfW+9VLcx1UJ8It+yt0g9RCssEyXViDbelP6nOD9T7J9iG0f3jinpOo1hc19H9BPpI4vnCzhuaBnxg==",
                "sha1": "d35858f760aa6574c80d4d67f077236a07e1fee0"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "a8ef6846a353869412db0b2e84699b0bd5c9c8a80ca147b249a612993409ae7b",
            "path": "dist/index.js",
            "tlsh": "5d83e86caba5b92657ebb0c1bd040a0adab25f5c4142dc3be1f8ed8b7350456c593b38"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/workrally/MAL-2026-4732.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]