MAL-2026-5603

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/backup-my-data/MAL-2026-5603.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5603

Published

2026-06-11T06:53:18Z

Modified

2026-06-11T08:01:30.331002272Z

Summary

Malicious code in backup-my-data (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6)

The package's collect.js loads child_process, fs, os, http and https, gathers host identifiers via os.hostname() and os.homedir(), enumerates filesystem paths via fs.existsSync, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net (collect.js line 13, POST at line 366). The package's stated purpose ('backup-my-data') is a cover; the runtime behavior is system-information harvesting and exfiltration to an attacker-controlled host that has no relationship to the package name or any documented backup service. Installing or loading this package leaks host identity and filesystem reconnaissance data to a third-party endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005663",
            "versions": [
                "1.0.9"
            ],
            "sha256": "3184167d3b1cd30c17f285b5bc511295b55de4b37de52a228cda9f1b80044247",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:53:18Z",
            "import_time": "2026-06-11T07:49:38.352965425Z"
        },
        {
            "id": "IN-MAL-2026-005665",
            "versions": [
                "1.0.2"
            ],
            "sha256": "909d29560b504f0b737cee3d66f3b32cc61931824e7547c44fb1b30d4958c427",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:53:24Z",
            "import_time": "2026-06-11T07:49:38.730593844Z"
        },
        {
            "id": "IN-MAL-2026-005664",
            "versions": [
                "1.0.1"
            ],
            "sha256": "de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:53:18Z",
            "import_time": "2026-06-11T07:49:38.647773894Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / backup-my-data

Package

Name: backup-my-data; View open source insights on deps.dev
Purl: pkg:npm/backup-my-data

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.9

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "collect.js",
            "sha256": "57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8",
            "tlsh": "cea21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2663d09f9"
        }
    ],
    "package_integrity": [
        {
            "filename": "backup-my-data-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-vUzE66lKCmekDjyYXYeZ7U6iE7Kd4+v6qPxD7UNIvf9/bhC+10G5IOYC1hGbdCXqSougY9bMggh1GBZvEzbc1w==",
                "sha1": "6733eedc8da2b17c5419f34447f6e1aa060d8e58"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/backup-my-data/MAL-2026-5603.json"