MAL-2026-5562

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@koadz/sso/MAL-2026-5562.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5562

Published

2026-06-11T04:45:50Z

Modified

2026-06-11T05:46:33.589971714Z

Summary

Malicious code in @koadz/sso (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb)

package.json declares a postinstall hook that runs dist/index.js. The compiled bundle contains an appended payload (absent from the index.ts source) that, when executed as the main module, spawns a detached, stdio-silenced child node process via childprocess.spawn(process.execPath, ['-e',...]). The inline script collects os.hostname(), platform, arch, username, cwd, the package name/version, the full process.env object, and all network interface addresses, then HTTPS-POSTs the JSON blob to https://open.feishu.cn/open-apis/bot/v2/hook/94ad3a53-f0d6-4ddd-809f-305d928db6d5. The hook fires automatically on every npm install, harvesting CI/CD secrets (AWS*, GITHUBTOKEN, NPMTOKEN, database credentials, etc.) from any machine that installs the package. The detached/unref'd spawn and stdio:'ignore' hide the activity from install logs, and the source/dist divergence indicates a deliberate payload smuggle rather than documented behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005470",
            "versions": [
                "1.0.0"
            ],
            "sha256": "d284d5d0421ad906d63959ed4e0f3354106166311f4066ff794669f52d1eacfb",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:45:50Z",
            "import_time": "2026-06-11T05:40:58.100000573Z"
        }
    ]
}

References

https://www.npmjs.com/package/@koadz/sso/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @koadz/sso

Package

Name: @koadz/sso; View open source insights on deps.dev
Purl: pkg:npm/%40koadz%2Fsso

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "dbb263689651ef8c405b10df1fbf8c0c3a4d5828fe6556b673da304b718f6ac8",
            "tlsh": "df319a9337d9fde493e402d44a27a4915fe9d0323021b4f8e38c5ef907952858191b6e"
        }
    ],
    "package_integrity": [
        {
            "filename": "sso-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-8wT3rW67HtGWIdXSJSdkbXhxhwKxCk2If6bzvigqqhEQQx6fhLis/ZvTArFb+oOe/JSGXjhzLceB/L3Mxg841A==",
                "sha1": "8118f653cc1407ed91422e8261d24a34ec1f9f29"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@koadz/sso/MAL-2026-5562.json"