MAL-2026-5557

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-ft/MAL-2026-5557.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5557

Published

2026-06-11T02:53:06Z

Modified

2026-06-11T04:01:29.199386024Z

Summary

Malicious code in janus-ft (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f)

On npm install, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, it (1) collects hostname, username, and cwd; (2) iterates process.env and selects keys matching the regex /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i; (3) reads.env from cwd, parent directories, and the user's home directory; (4) reads ~/.npmrc (leaking npm auth tokens that enable further supply-chain compromise) and ~/.config/ipor-fusion/config.json (targeting users of the IPOR Fusion DeFi protocol); and (5) POSTs the bundled payload to https://193.203.169.109:8443/c/janus-ft with TLS verification disabled (rejectUnauthorized:false). The package's main entry (index.js) is module.exports = {}; — it provides no actual functionality, confirming the package exists solely to execute the credential-harvesting payload at install time. The targeted read of ipor-fusion config plus the blockchain-developer-oriented env keyword list (MNEMONIC, PRIVATE, WALLET, ALCHEMY, INFURA) indicate this is a targeted attack on DeFi/blockchain developers.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005399",
            "versions": [
                "1.0.0"
            ],
            "sha256": "8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:53:06Z",
            "import_time": "2026-06-11T03:48:46.283538586Z"
        }
    ]
}

References

https://www.npmjs.com/package/janus-ft/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / janus-ft

Package

Name: janus-ft; View open source insights on deps.dev
Purl: pkg:npm/janus-ft

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "6b33a3dff0c0f02357b32e321f376a592b431202cbc57fed30f3d53de1b325f6",
            "tlsh": "7c0116f54256d97f7a7707a4a58c3e01fdb38d5026469de26ce85d5731622900433e39"
        }
    ],
    "package_integrity": [
        {
            "filename": "janus-ft-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Kj3S0QKTDUNsuIgJ0fFIPLWkEXeiTgRPpnsyyNTMBnwDq2YknrkATzXRXPwPaEw17AplCkEswoKJEXqIdeI9Kw==",
                "sha1": "9c384e6b8d50d576408d15ae4c5cb5ade66ea6fa"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-ft/MAL-2026-5557.json"