MAL-2026-5578

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-clean/MAL-2026-5578.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5578
Aliases
  • GHSA-82q4-cw9w-vjj4
Published
2026-06-11T05:06:29Z
Modified
2026-07-06T20:01:58.577331008Z
Summary
Malicious code in webpack-cache-clean (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9)

On npm install, the package runs a postinstall hook (node -e "require('./loader.js')") that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a manifest.session field, writes it to a temp file, and require()s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is webpack-cache-clean, the README is titled webpack-cache-plugin, the repository URL points at webpack-tools/webpack-cache-plugin, and the author is the generic Webpack Tools — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.

Source: ghsa-malware (6f98923d9f08741f534522f4b816b09d5953f8d73ddbaef49710ba42236a9cff)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-11T05:06:29Z",
            "versions": [
                "0.1.4"
            ],
            "sha256": "8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9",
            "import_time": "2026-06-11T05:41:05.393584545Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005544"
        },
        {
            "modified_time": "2026-07-06T19:00:33Z",
            "versions": [
                "0.1.4"
            ],
            "sha256": "6f98923d9f08741f534522f4b816b09d5953f8d73ddbaef49710ba42236a9cff",
            "import_time": "2026-07-06T19:53:47.937790638Z",
            "source": "ghsa-malware",
            "id": "GHSA-82q4-cw9w-vjj4"
        }
    ]
}
References
Credits

Affected packages

npm / webpack-cache-clean

Package

Name
webpack-cache-clean
View open source insights on deps.dev
Purl
pkg:npm/webpack-cache-clean

Affected ranges

Affected versions

0.*
0.1.4

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "e531789e1ba52334da70d3d683275426d6a3e6323341d6c0b65c54d20fa2270c2b3efc",
            "sha256": "91bcbd111d8efdb3e486c7ff2ec7d1d8b8710b971f196d909748e33e8263e1a5",
            "path": "loader.js"
        },
        {
            "tlsh": "79f0c0244a646d3319e042c9085093f1f72ace6b09407c894bd3002d868e5b2abfe36e",
            "sha256": "4bf21b43417a589f79a919a35b947239528dd59a03747c2567a34e08f17e5ba3",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "f8af520244d3e4fc3d3d97c52cfd19acf09d85fc",
                "sha512_sri": "sha512-CVjFL89jerXWo89L992kc+1t7D9cwZVifX/9o5WKHaAubGZLNtHFl2W74pPx6rzy3xxaBksVQ4Olz+OZTN2luA=="
            },
            "filename": "webpack-cache-clean-0.1.4.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-clean/MAL-2026-5578.json"