MAL-2026-5653

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pc-optimizer/MAL-2026-5653.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5653

Published

2026-06-11T13:28:04Z

Modified

2026-06-11T15:01:29.349156575Z

Summary

Malicious code in pc-optimizer (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f046d16052b9121c55f2fd5e6eb2be90ce24e7b007efca3c2a9e7f64dab8f6bf)

The package's collect.js imports childprocess, fs, http, https, and os, reads host identifiers via os.hostname() and os.homedir(), inspects local filesystem paths via fs.existsSync, and POSTs collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net. The destination is not a registry, vendor SDK host, or documented service — it is an unrelated third-party domain bound to a POST in install/load-reachable code. The combination of system enumeration (hostname, homedir, childprocess), filesystem inspection, and a hardcoded non-publisher exfiltration endpoint is the canonical host-information stealer fingerprint and provides direct attacker benefit (host fingerprinting + arbitrary collected data shipped off-host).

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005748",
            "import_time": "2026-06-11T14:48:05.794332855Z",
            "sha256": "9f3f55c554f0b1b48f8ebaa1b8ee6a9d005c972fa06bef7c9727946e5d422aa4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:28:04Z",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005750",
            "versions": [
                "1.0.2"
            ],
            "sha256": "f046d16052b9121c55f2fd5e6eb2be90ce24e7b007efca3c2a9e7f64dab8f6bf",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:28:07Z",
            "import_time": "2026-06-11T14:48:05.874007514Z"
        },
        {
            "id": "IN-MAL-2026-005749",
            "versions": [
                "1.0.9"
            ],
            "sha256": "f1dd847960d4aa149ddf901c3b85fa93f3ef2b50d5dfeb64ba3b4599f23ed3aa",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:28:05Z",
            "import_time": "2026-06-11T14:48:05.844910927Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / pc-optimizer

Package

Name: pc-optimizer; View open source insights on deps.dev
Purl: pkg:npm/pc-optimizer

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.9

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "collect.js",
            "sha256": "463735e1a5b9150efad9ef66856033363d7ffb55490e84d1bf450c0e1406ef4d",
            "tlsh": "44a21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2662d09f9"
        }
    ],
    "package_integrity": [
        {
            "filename": "pc-optimizer-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-rRfMT31QEXwhKzT/VbD616FealDguzqCy30jfl1TUCpujTdSXoLbeRKbwpZLGfuZVdueqx2QYRu7UFobVUkCCw==",
                "sha1": "d138178d30e19ce7dacabef112775241a5ff4be1"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pc-optimizer/MAL-2026-5653.json"