MAL-2026-5609

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clean-my-pc/MAL-2026-5609.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5609
Published
2026-06-11T06:52:05Z
Modified
2026-06-11T08:01:31.423362127Z
Summary
Malicious code in clean-my-pc (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6)

The package's collect.js imports child_process, fs, http, https, and os, gathers host identifiers via os.hostname() and os.homedir(), reads files from the local filesystem (fs.existsSync checks at lines 20 and 27), and POSTs the collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net (referenced at line 13, with the POST request at line 366). The destination domain is unrelated to any legitimate PC-cleaning utility purpose and matches the structural fingerprint of a host-information / filesystem exfiltration beacon: hardcoded non-publisher C2 + system identity collection + outbound POST. Installing or loading this package causes the installer's hostname, home-directory contents indicator, and other host data to be transmitted to the attacker-controlled endpoint over plaintext HTTP.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "0643990e40a068c184fc70b258368e07ce0b7cb6b81478a82da8e76e169dfbfe",
            "modified_time": "2026-06-11T06:52:08Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005660",
            "import_time": "2026-06-11T07:49:38.073051906Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "5f90d40c1809406517b17c6d51086a8bc1c09492413d8db182dbb29de829bd37",
            "modified_time": "2026-06-11T06:52:14Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005662",
            "import_time": "2026-06-11T07:49:38.248936275Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6",
            "modified_time": "2026-06-11T06:52:13Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T07:49:38.163022943Z",
            "id": "IN-MAL-2026-005661"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "9c0da96e59f83bd52a688d90504e873aa5c0c8ed2ec5fc37c0d35b35ac6dc190",
            "modified_time": "2026-06-11T06:52:06Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005659",
            "import_time": "2026-06-11T07:49:37.981203016Z"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "cb6ce87f95f3510f104ff3b69e555f9dcff24c2b4333967e21f2c2264b673c3a",
            "modified_time": "2026-06-11T06:52:05Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T07:49:37.799536831Z",
            "id": "IN-MAL-2026-005657"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "4110a6fab49f763df4587e8710ef8e4e0ec5823c7a65cff1462ccdcc6a95da5b",
            "modified_time": "2026-06-11T06:52:06Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005658",
            "import_time": "2026-06-11T07:49:37.882010642Z"
        }
    ]
}
References
Credits

Affected packages

npm / clean-my-pc

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.9

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "clean-my-pc-1.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-l9dv2bttx+7H778DOJA5L7fIEbXTurh0IagWw65Dq7RDulctsIo5qDSurP4Lteq3iVs9Ox2En2VfbKir1AHY5g==",
                "sha1": "bdd6126736ed4667fa52fbe077f157493bef3246"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "2234a3b6d47ca087b14e0eac39c71d339f0e1f69e2deee983dc5df7e59b6f433",
            "path": "collect.js",
            "tlsh": "2ca22e5b14cb351ac747e70ad7670014ad88afb3b112bf41bb8c9bd41f2ad16a2d09f9"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clean-my-pc/MAL-2026-5609.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]