-= Per source details. Do not edit below this line.=-
On every npm install, the package's postinstall lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encoded payload via node -e Buffer.from(...,'base64').toString() and executes it. The decoded payload enumerates the installer's full process.env (excluding only npm_lifecycle* keys, which routinely captures CI/CD secrets, cloud credential env vars, and access tokens), reads os.networkInterfaces(), os.hostname(), os.userInfo().username, the platform, and the current working directory, and HTTPS-POSTs the collected data to a hardcoded Lark/Feishu bot webhook at open.larksuite.com/open-apis/bot/v2/hook/f1ad5ad2-4ba6-4c9d-afc2-0e908cba26a7 after a randomized 15–45 second delay. The payload also contains sandbox-evasion logic that aborts when canonical example AWS keys, dummy-token patterns (R4nD0m, F4k3T0k3n, dummy), or NODE_OPTIONS=--require analyzer hooks are detected, confirming hostile intent. The detached + unref'd spawn pattern is designed to outlive the install process and hide output.
{
"malicious-packages-origins": [
{
"versions": [
"1.10.0"
],
"sha256": "17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1",
"modified_time": "2026-06-11T04:45:24Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T05:40:58.009263027Z",
"id": "IN-MAL-2026-005469"
}
]
}{
"package_integrity": [
{
"filename": "field-upload-tool-1.10.0.tgz",
"hashes": {
"sha512_sri": "sha512-lLZ7YdWqeFtwu3ZdaVxXIuPKKXS4MAvFLfZo+1xPhWXSY1Hbc8AbIIPTdWKESmmI+fwHSUjbYpSm0rnMLsfKag==",
"sha1": "a531045509df07a479138be9c65f7f74f338ff89"
}
}
],
"evidence_files": [
{
"sha256": "2c56b1b1a0a961b825d9cf172a8cd51605cde5989c4972086a8fb1a1832a717f",
"path": "package.json",
"tlsh": "a2027320ce458da302a8089665ac0e9302bd91574c96fc8d772c27bc5f6d29f63b5f9e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/field-upload-tool/MAL-2026-5567.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]