MAL-2026-5624

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/edu-npm-postinstall-demo2/MAL-2026-5624.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5624
Published
2026-06-11T08:25:49Z
Modified
2026-06-12T20:01:50.907949465Z
Summary
Malicious code in edu-npm-postinstall-demo2 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1)

On npm install, postinstall.js reads the installer's .env file from INITCWD, harvests environment variable values (DEMO-prefixed), collects host identifiers via os.hostname() and os.platform(), and POSTs the combined payload to a hardcoded ngrok tunnel at https://scary-blooper-brewery.ngrok-free.dev/collect. The package describes itself as an educational demo, but the destination is an anonymous, author-mutable tunneling host with no publisher relationship — the canonical install-time exfiltration shape. Additionally, package.json declares a build script pointing at scripts/mine_cyrpto.js (misspelled 'crypto'); the file is currently empty and not auto-invoked, but its presence in the tarball is a quality/intent signal alongside the exfil. Installer harm is concrete and automatic on default install: filesystem read of installer secrets + host fingerprinting + outbound transmission to an attacker-style endpoint.

Source: ossf-package-analysis (fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea)

The OpenSSF Package Analysis project identified 'edu-npm-postinstall-demo2' @ 1.0.3 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-11T08:25:49Z",
            "import_time": "2026-06-11T09:36:25.905564153Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "af1015b5508b476dcc0e9aec7c5692f2a296e4cf4ae25a6190c767fd4fe73ef8",
            "modified_time": "2026-06-12T19:07:27Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:59.012994271Z",
            "id": "IN-MAL-2026-006020"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1",
            "modified_time": "2026-06-12T19:07:26Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:58.808709978Z",
            "id": "IN-MAL-2026-006018"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "4ede37dc48469ec273b470e4b74c65d4f7dfc5a19afac08339287ba16cd0a46a",
            "modified_time": "2026-06-12T19:07:25Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:58.696694968Z",
            "id": "IN-MAL-2026-006017"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "8c1c93fac029298c9951ee680beaec72a89851dd5d6fdabcce01b740d500ef20",
            "modified_time": "2026-06-12T19:07:22Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:58.178231618Z",
            "id": "IN-MAL-2026-006012"
        }
    ]
}
References
Credits

Affected packages

npm / edu-npm-postinstall-demo2

Package

Name
edu-npm-postinstall-demo2
View open source insights on deps.dev
Purl
pkg:npm/edu-npm-postinstall-demo2

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "edu-npm-postinstall-demo2-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-zVNvLre9zYEkphTY9gLWzSZTEZKvBHUcNMIkCNamZJnLsjOLCc8UiNMk7oLWntMvEc6VYz/DzSTb+L6VW18D9A==",
                "sha1": "a586db7459aaf4b80262d9977bfcd7ad520d48b6"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e33885a839811a2b8643a9de7a58b5667191089f7502bcc2299e499aa6a248cd",
            "path": "postinstall.js",
            "tlsh": "e17145c920f2526003eb73d4594f7476f235e2437814d9547e9e53801fc292897e6bab"
        },
        {
            "sha256": "c61d2ed9b6bf687c2bb867d79bccb596b7b591bf2a8fc29f6629131c88b5160f",
            "path": "package.json",
            "tlsh": "46f08410cd101f33a9c8ae2b183a414ae4700c078918bc2837f750ac0b8f17b98bf67e"
        }
    ],
    "domains": [
        "scary-blooper-brewery.ngrok-free.dev"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/edu-npm-postinstall-demo2/MAL-2026-5624.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]