MAL-2026-5704

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/friendly-greeter-demo/MAL-2026-5704.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5704

Published

2026-06-12T19:15:47Z

Modified

2026-06-12T20:01:51.485870842Z

Summary

Malicious code in friendly-greeter-demo (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3d7aae6052d68219fd3611f6c4faf98ebaa10c81bb2190be2ba9fc8c21414ca8)

The package presents itself as a trivial greeting library but ships two independent backdoor paths to a hardcoded bare-IP C2 at http://98.86.244.177:8080. (1) package.json declares "postinstall": "node postinstall.js", which fires on every npm install. postinstall.js re-spawns itself as a detached daemon (POSTINSTALLDAEMON=1), POSTs the installer's os.hostname() and process.platform to /register, polls /beacon for a command field, executes it via childprocess.exec with a 30s timeout, and POSTs stdout+stderr back to /results in a jittered loop — a persistent command-and-control backdoor that survives the install and grants the operator of 98.86.244.177 full shell on the installer's machine. (2) index.js (the declared main) contains a top-level IIFE that performs the same /register → /beacon → exec → /results flow on require('friendly-greeter-demo'), so any consumer that imports the package as a library also gets full RCE. The C2 destination is a bare IPv4 over plaintext HTTP, with no relation to the package's stated greeting purpose.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006209",
            "versions": [
                "1.0.4"
            ],
            "sha256": "296efda061a9a7286225d84524e63a37f5d4b655352f579db38e6ab244911f1b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:16:32Z",
            "import_time": "2026-06-12T19:44:20.15234419Z"
        },
        {
            "id": "IN-MAL-2026-006212",
            "import_time": "2026-06-12T19:44:20.470285031Z",
            "sha256": "3d7aae6052d68219fd3611f6c4faf98ebaa10c81bb2190be2ba9fc8c21414ca8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:16:36Z",
            "versions": [
                "1.0.6"
            ]
        },
        {
            "id": "IN-MAL-2026-006210",
            "import_time": "2026-06-12T19:44:20.250199272Z",
            "sha256": "6abf509238a817b53302533e1df0b744115e5814c7cf707a5d86d9bc0414d8c4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:16:33Z",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-006208",
            "import_time": "2026-06-12T19:44:20.065373665Z",
            "sha256": "cf7bb5ffaaf1b751fff6564106d0f381be58f3c9541e571f9e1f580a2358d99f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:15:47Z",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "id": "IN-MAL-2026-006211",
            "versions": [
                "1.0.1"
            ],
            "sha256": "e42b62d2ce224204686eadc2dd79e8059a3f21a3fd407b84e7e0a8434af594af",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:16:36Z",
            "import_time": "2026-06-12T19:44:20.384109941Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / friendly-greeter-demo

Package

Name: friendly-greeter-demo; View open source insights on deps.dev
Purl: pkg:npm/friendly-greeter-demo

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.6

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "fb87e8a90951215f81a9bf45197387e4211d24103da368cf4eceb7ac217c9211",
            "tlsh": "8e41418628f62634a273e6cdea5794276112e0177547cdb1fa4c41602fd732cd4a37ee"
        },
        {
            "path": "index.js",
            "sha256": "03a6f199b8f9b9946d61fab0a950196c243a68b1ccbcdce8ddef6610dba52c76",
            "tlsh": "9341e44654f6656287a39ba9f74f740a6323d0273117cd51f88c42606fd363c54f2be9"
        },
        {
            "path": "package.json",
            "sha256": "5d7198391de1fbeb3ca9cd427162d1378f00ad949e1baa1e20e7f5009a22266a",
            "tlsh": "71e02b518d551a331ac10e962856a20df9364d2b02887c4db76b404c4f9e76b58ff74f"
        }
    ],
    "package_integrity": [
        {
            "filename": "friendly-greeter-demo-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-UbYQFL1mPETCpOuuStniNaDCUZuUH/jC3h9jIfT7cnkGJAh9Rsve6CCq2L9xhSHvCG4zzmCBVY/r3GAmJGlLEQ==",
                "sha1": "2654f7260acfac7ec4f162770aae176298dafd1a"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/friendly-greeter-demo/MAL-2026-5704.json"