-= Per source details. Do not edit below this line.=-
The package's collect.js imports child_process, fs, http, https, and os, gathers host identifiers via os.hostname() and os.homedir(), reads files from the local filesystem (fs.existsSync checks at lines 20 and 27), and POSTs the collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net (referenced at line 13, with the POST request at line 366). The destination domain is unrelated to any legitimate PC-cleaning utility purpose and matches the structural fingerprint of a host-information / filesystem exfiltration beacon: hardcoded non-publisher C2 + system identity collection + outbound POST. Installing or loading this package causes the installer's hostname, home-directory contents indicator, and other host data to be transmitted to the attacker-controlled endpoint over plaintext HTTP.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.5"
],
"sha256": "0643990e40a068c184fc70b258368e07ce0b7cb6b81478a82da8e76e169dfbfe",
"modified_time": "2026-06-11T06:52:08Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005660",
"import_time": "2026-06-11T07:49:38.073051906Z"
},
{
"versions": [
"1.0.2"
],
"sha256": "5f90d40c1809406517b17c6d51086a8bc1c09492413d8db182dbb29de829bd37",
"modified_time": "2026-06-11T06:52:14Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005662",
"import_time": "2026-06-11T07:49:38.248936275Z"
},
{
"versions": [
"1.0.1"
],
"sha256": "8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6",
"modified_time": "2026-06-11T06:52:13Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T07:49:38.163022943Z",
"id": "IN-MAL-2026-005661"
},
{
"versions": [
"1.0.4"
],
"sha256": "9c0da96e59f83bd52a688d90504e873aa5c0c8ed2ec5fc37c0d35b35ac6dc190",
"modified_time": "2026-06-11T06:52:06Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005659",
"import_time": "2026-06-11T07:49:37.981203016Z"
},
{
"versions": [
"1.0.9"
],
"sha256": "cb6ce87f95f3510f104ff3b69e555f9dcff24c2b4333967e21f2c2264b673c3a",
"modified_time": "2026-06-11T06:52:05Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T07:49:37.799536831Z",
"id": "IN-MAL-2026-005657"
},
{
"versions": [
"1.0.3"
],
"sha256": "4110a6fab49f763df4587e8710ef8e4e0ec5823c7a65cff1462ccdcc6a95da5b",
"modified_time": "2026-06-11T06:52:06Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005658",
"import_time": "2026-06-11T07:49:37.882010642Z"
}
]
}{
"package_integrity": [
{
"filename": "clean-my-pc-1.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-l9dv2bttx+7H778DOJA5L7fIEbXTurh0IagWw65Dq7RDulctsIo5qDSurP4Lteq3iVs9Ox2En2VfbKir1AHY5g==",
"sha1": "bdd6126736ed4667fa52fbe077f157493bef3246"
}
}
],
"evidence_files": [
{
"sha256": "2234a3b6d47ca087b14e0eac39c71d339f0e1f69e2deee983dc5df7e59b6f433",
"path": "collect.js",
"tlsh": "2ca22e5b14cb351ac747e70ad7670014ad88afb3b112bf41bb8c9bd41f2ad16a2d09f9"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clean-my-pc/MAL-2026-5609.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]