-= Per source details. Do not edit below this line.=-
The package's scripts.install runs install.js on every npm install. The script unconditionally POSTs the installer's hostname, OS, and architecture to api.telegram.org using a hardcoded bot token and chat ID (install.js:7 BOT_TOKEN = '8877182499:...', install.js:50-56 builds the message and sends via sendTelegramMessage()). On Windows, the same script writes a hidden PowerShell bootstrapper that installs Scoop/Winget and Deno, then executes deno -A http://77.90.185.225/deee80f30a6921b4.js — fetching an arbitrary JavaScript payload from a bare-IP HTTP URL and running it with all Deno permissions under a hidden PowerShell window. The package has no legitimate functionality (index.js only logs a string; placeholder author work1, description cms install) and exists solely to deliver the install-time payload. Both install-time host reconnaissance exfiltration and install-time arbitrary remote code execution from attacker infrastructure are present.
The OpenSSF Package Analysis project identified 'cms-store-ren' @ 1.1.1 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"1.1.1"
],
"sha256": "1e0e43b074cffbde07a16c0b1ae1645b1edebcfa7fe192f6161237b0f011952d",
"source": "ossf-package-analysis",
"modified_time": "2026-06-04T12:05:39Z",
"import_time": "2026-06-09T12:03:46.983784168Z"
},
{
"versions": [
"1.1.1"
],
"sha256": "da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de",
"modified_time": "2026-06-11T05:10:25Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T05:41:05.954798755Z",
"id": "IN-MAL-2026-005549"
},
{
"versions": [
"1.1.1"
],
"sha256": "7d7f0ddfa720bc522473f92b17681d0c2092724865c30103b7c2cb558b9b5629",
"modified_time": "2026-06-11T05:10:25Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T05:41:06.044063131Z",
"id": "IN-MAL-2026-005550"
}
]
}{
"package_integrity": [
{
"filename": "cms-store-ren-1.1.1.tgz",
"hashes": {
"sha512_sri": "sha512-1opt+gaixQP4XLgTtBYpJgm3EUw4RrCYe8QprsSiFmanT4IrFckNgh57xS55XJgdyFSBbirg9WRG6JtJ5Hm2jQ==",
"sha1": "1feda0c27848bc53241bdebe942abc45103f7c05"
}
}
],
"evidence_files": [
{
"sha256": "ec5bc6c76a845d717e0cbb7c7f29f38dedf1bdb22a83ea68620cf4f31824a87c",
"path": "install.js",
"tlsh": "9e7142d023f5c2e547736fb2b5d2a60ae22e80297213d380f4bd81c17fa1568c7a1dac"
},
{
"sha256": "24ca0eabb8c574d5facfc36781b96edccffdd40f7952289ef956a47b51dce9f2",
"path": "package.json",
"tlsh": "fee026328b13497328f45b916c671105f2120f2f02344c0f39fb001c6bb322904ab31e"
}
],
"domains": [
"api.telegram.org"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cms-store-ren/MAL-2026-5364.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]