MAL-2026-5578

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-clean/MAL-2026-5578.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5578

Published

2026-06-11T05:06:29Z

Modified

2026-06-11T05:46:32.770524655Z

Summary

Malicious code in webpack-cache-clean (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9)

On npm install, the package runs a postinstall hook (node -e "require('./loader.js')") that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a manifest.session field, writes it to a temp file, and require()s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is webpack-cache-clean, the README is titled webpack-cache-plugin, the repository URL points at webpack-tools/webpack-cache-plugin, and the author is the generic Webpack Tools — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005544",
            "versions": [
                "0.1.4"
            ],
            "sha256": "8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:06:29Z",
            "import_time": "2026-06-11T05:41:05.393584545Z"
        }
    ]
}

References

https://www.npmjs.com/package/webpack-cache-clean/v/0.1.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / webpack-cache-clean

Package

Name: webpack-cache-clean; View open source insights on deps.dev
Purl: pkg:npm/webpack-cache-clean

Affected ranges

Affected versions

0.*

0.1.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-clean/MAL-2026-5578.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "loader.js",
            "sha256": "91bcbd111d8efdb3e486c7ff2ec7d1d8b8710b971f196d909748e33e8263e1a5",
            "tlsh": "e531789e1ba52334da70d3d683275426d6a3e6323341d6c0b65c54d20fa2270c2b3efc"
        },
        {
            "path": "package.json",
            "sha256": "4bf21b43417a589f79a919a35b947239528dd59a03747c2567a34e08f17e5ba3",
            "tlsh": "79f0c0244a646d3319e042c9085093f1f72ace6b09407c894bd3002d868e5b2abfe36e"
        }
    ],
    "package_integrity": [
        {
            "filename": "webpack-cache-clean-0.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-CVjFL89jerXWo89L992kc+1t7D9cwZVifX/9o5WKHaAubGZLNtHFl2W74pPx6rzy3xxaBksVQ4Olz+OZTN2luA==",
                "sha1": "f8af520244d3e4fc3d3d97c52cfd19acf09d85fc"
            }
        }
    ]
}