MAL-2026-5579

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-cycle/MAL-2026-5579.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5579

Published

2026-06-11T05:06:33Z

Modified

2026-06-11T05:46:32.863668214Z

Summary

Malicious code in webpack-cache-cycle (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81)

On npm install, package.json's postinstall hook runs node -e "require('./loader.js')". loader.js spawns a detached node process that decodes a hex-encoded URL (https://jsonkeeper.com/b/L435A — an anonymous, mutable paste host), performs an HTTPS GET, writes the response's session field to a temporary.js file, and require()s it — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated as a hex literal padded with whitespace inside Buffer.from(...) to evade naive string scanners. The detached spawn lets npm install exit cleanly while the dropper continues asynchronously. The package's advertised purpose is a webpack cache plugin, which does not justify any network access at install time. The package name webpack-cache-cycle and README title webpack-cache-plugin impersonate legitimate webpack tooling, with placeholder author metadata (Webpack Tools) and a non-existent GitHub repository.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005548",
            "versions": [
                "0.1.4"
            ],
            "sha256": "028ed41ba1afb95bb86e0ae1536f3e9b4a2695fc8490b7d83033ac86440d59c5",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:06:34Z",
            "import_time": "2026-06-11T05:41:05.871577895Z"
        },
        {
            "id": "IN-MAL-2026-005547",
            "import_time": "2026-06-11T05:41:05.778008819Z",
            "sha256": "82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:06:33Z",
            "versions": [
                "0.1.4"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/webpack-cache-cycle/v/0.1.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / webpack-cache-cycle

Package

Name: webpack-cache-cycle; View open source insights on deps.dev
Purl: pkg:npm/webpack-cache-cycle

Affected ranges

Affected versions

0.*

0.1.4

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "loader.js",
            "sha256": "a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83",
            "tlsh": "d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc"
        },
        {
            "path": "package.json",
            "sha256": "7c1cfc32811eaeeab6a2241b72d6962048542cfb6afa7c042ce469f1bdf9e7ff",
            "tlsh": "a9f0c0284a646d3319e002c9085093f1f32ace6b09407c984bd3002c868e5b2abfe79e"
        }
    ],
    "package_integrity": [
        {
            "filename": "webpack-cache-cycle-0.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-HTXEEsZQBAsvyKqTMd4+bkzmdmUxEW3HSNMXtrWJCghzTg9XI8436Q/I6xrDuCSJ4mseEmh+zwzkmxDG6ITkkw==",
                "sha1": "c7adeafd40371553e4869ecb12567b99065f7067"
            }
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-cycle/MAL-2026-5579.json"