MAL-2026-5604

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-section-helper/MAL-2026-5604.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5604

Published

2026-06-11T07:24:13Z

Modified

2026-06-11T08:01:30.890316489Z

Summary

Malicious code in cache-section-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653)

package.json declares a postinstall hook (node -e "require('./loader.js')") that runs automatically on every npm install. loader.js hex-decodes the string 68747470733a2f2f6a736f6e6b65657065722e636f6d2f622f4c34333541 to the URL https://jsonkeeper.com/b/L435A, fetches a JSON document from that anonymous paste host, extracts a manifest.session field, writes it to a temporary file under os.tmpdir()/wpc-*/cfg-<ts>.js, require()s it to execute the attacker-supplied JavaScript, then deletes the file to hide traces. The dropper is launched via spawn(process.execPath, [tmpFile], { detached: true, stdio: 'ignore', cwd: os.tmpdir() }).unref() so the child Node process outlives the npm install and runs without producing visible output. The package presents itself as a webpack caching helper (class WebpackCachePlugin in index.js, a README that instructs npm install cache-helper — a different name suggesting impersonation), but the advertised plugin code is trivial; the real behavior is the install-time dropper. Every installer fetches and executes attacker-controlled, mutable, unauthenticated code from a paste host with no integrity verification.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005702",
            "versions": [
                "1.0.7"
            ],
            "sha256": "4da4f8014e1d74a0329e5f414692fb9267f2eab553d393e47d810078f1708b06",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:24:14Z",
            "import_time": "2026-06-11T07:49:42.720701973Z"
        },
        {
            "id": "IN-MAL-2026-005701",
            "versions": [
                "1.0.7"
            ],
            "sha256": "cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:24:13Z",
            "import_time": "2026-06-11T07:49:42.598096171Z"
        }
    ]
}

References

https://www.npmjs.com/package/cache-section-helper/v/1.0.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / cache-section-helper

Package

Name: cache-section-helper; View open source insights on deps.dev
Purl: pkg:npm/cache-section-helper

Affected ranges

Affected versions

1.*

1.0.7

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-section-helper/MAL-2026-5604.json"

indicators

{
    "evidence_files": [
        {
            "path": "loader.js",
            "sha256": "a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83",
            "tlsh": "d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc"
        },
        {
            "path": "package.json",
            "sha256": "72ad22dc419e8c232e8d8d82b50e7926551b4cfa6e55f1b83e3f0c3fb2b2b5a1",
            "tlsh": "a5f0c0384a60a9330bc102aa7c119241b7214e1f6704bc1916e7002e87de2f3d6ff3ad"
        }
    ],
    "package_integrity": [
        {
            "filename": "cache-section-helper-1.0.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-w+gWZ7eFUiuSypnHouvHCecRqeHnWMuH0bpd3MlEjnVHK5tF0UDQKiF6E8+/e0nvDUEyWGUBCLxpmNjj+feXzQ==",
                "sha1": "411e631204f3369a31640efcdf9c8b71dae141e9"
            }
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}