MAL-2026-5556

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-flow/MAL-2026-5556.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5556

Published

2026-06-11T02:53:13Z

Modified

2026-06-11T04:01:29.226279513Z

Summary

Malicious code in janus-flow (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1)

On npm install, the package's postinstall hook (node postinstall.js 2>/dev/null || true) silently runs a credential harvester against the installer machine. postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), platform, and timestamp; iterates process.env for keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i; reads .env files from multiple paths and ~/.npmrc; and POSTs the resulting JSON blob to https://193.203.169.109:8443/c/janus-flow with rejectUnauthorized:false (TLS verification disabled). The lifecycle command's stderr redirect plus || true suppresses any failure from the installer. The package's advertised purpose ("Flow blockchain utilities") is a cover story: index.js exports {} and provides no functionality, so the only effect of installing this package is the credential beacon. The destination is a bare IP unrelated to any Flow blockchain publisher and matches no legitimate vendor endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005400",
            "versions": [
                "1.0.0"
            ],
            "sha256": "2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:53:13Z",
            "import_time": "2026-06-11T03:48:46.49418276Z"
        }
    ]
}

References

https://www.npmjs.com/package/janus-flow/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / janus-flow

Package

Name: janus-flow; View open source insights on deps.dev
Purl: pkg:npm/janus-flow

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-flow/MAL-2026-5556.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "eddd394c2665a9a73e5bfd23dbcb5f57be2a7f990e7a6024f67cf175c2439542",
            "tlsh": "520156f18256d93f7a7706a4a58c3f01fcb38d1026469de26cec5c4732622900433e39"
        },
        {
            "path": "index.js",
            "sha256": "8222b8169ee86f25cdccd84d340340060ae3f0cff55e2ea9d344d7c332733b71",
            "tlsh": "f5700002002032820228800ae280800228c080800000800002888aac0000c000000a80"
        }
    ],
    "package_integrity": [
        {
            "filename": "janus-flow-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-/G5JcZYwz4uxnVWI+C1/6AmBcGqMi+HXaXRnM75AOljr9KF83VopqiPALY+sFPNLqvNxC2ng7Y0mSuG8+jqm2Q==",
                "sha1": "ee68d81fbc2eef263365abfa733e0c47f7bc3545"
            }
        }
    ]
}