MAL-2026-5577

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-pool/MAL-2026-5577.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5577

Published

2026-06-11T05:10:52Z

Modified

2026-06-11T05:46:32.719789659Z

Summary

Malicious code in web-pool (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c)

Requiring web-pool triggers middleware() to spawn a detached node lib/initializeCaller.js. That script base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env (CI tokens, npm tokens, AWS_*, GITHUB_TOKEN, arbitrary secrets) to it, and executes the HTTP response body via new Function('require', response.data)(require) — granting the attacker arbitrary code execution under the installer's Node process. The C2 URL is hidden behind base64 inside a fake local process object that shadows Node's real process, an obfuscation pattern designed to defeat static URL scanning. The README masquerades as the pino logger (titled web-corn, badges and links point to npm pino and pinojs/pino), making this a typosquat lure with a malware loader as its only real behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005552",
            "versions": [
                "2.3.5"
            ],
            "sha256": "d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:10:52Z",
            "import_time": "2026-06-11T05:41:06.276668416Z"
        }
    ]
}

References

https://www.npmjs.com/package/web-pool/v/2.3.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / web-pool

Package

Name: web-pool; View open source insights on deps.dev
Purl: pkg:npm/web-pool

Affected ranges

Affected versions

2.*

2.3.5

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/initializeCaller.js",
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"
        },
        {
            "path": "README.md",
            "sha256": "d78eaaaac028ca2d6f6a457769737b2ca490d38ea624c9ddadc6e5ff4e0718ff",
            "tlsh": "7351b6a782e46bbe4b6300f1a1c275a9ff5f931c7b6a606ddc9c913d031d9d7813224a"
        }
    ],
    "package_integrity": [
        {
            "filename": "web-pool-2.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-CstMwRyD74dnfaKW5NZInq6Mfsmezy3dB9f5Bfi9KZ+8eJjZ0XHhu0ZYCQ5wxjdlXX+VyRDel2i03DCD4ilnbA==",
                "sha1": "38b6fdd4a9511a255a0cd681d3bc0bb06a270564"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-pool/MAL-2026-5577.json"