MAL-2026-5715

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/workflow-postgres-setup/MAL-2026-5715.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5715

Published

2026-06-12T19:48:49Z

Modified

2026-06-12T21:01:43.356251622Z

Summary

Malicious code in workflow-postgres-setup (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963)

The package advertises itself as a Postgres/workflow setup helper but ships no library code — the declared main entry index.js is absent from the tarball. Its only functional code is bin/run.js, which on invocation (via npx workflow-postgres-setup or the installed bin) reads process.env.INIT_CWD || process.cwd(), takes the basename, and POSTs it as JSON to a hardcoded third-party endpoint at https://deepbounty.dd06-dev.fr/cb/33d63669-244d-4409-9fba-eb1d32d10cc1. The package's own description self-identifies as a dependency-confusion / npx-typosquat proof-of-concept. Project directory names can themselves be sensitive (internal codenames, customer names, unreleased product identifiers), and the beacon attributes the leak to a specific tracking ID controlled by the operator of the callback domain. The generic, functionality-promising name is consistent with typosquat / dependency-confusion bait targeting developers searching for Postgres setup tooling.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006218",
            "versions": [
                "1.0.0"
            ],
            "sha256": "19848a1b4a7188ada5866c459ec2b966b9aa6ba1d23e3c25b1f54939e6a6b963",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:48:49Z",
            "import_time": "2026-06-12T20:49:36.67323595Z"
        }
    ]
}

References

https://www.npmjs.com/package/workflow-postgres-setup/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / workflow-postgres-setup

Package

Name: workflow-postgres-setup; View open source insights on deps.dev
Purl: pkg:npm/workflow-postgres-setup

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "bin/run.js",
            "sha256": "b30248570adf2574e108efcdefbfdc89d8da2684a46ec737d2ed244cf5b5328c",
            "tlsh": "822141d959c212756af14fe04513ad0efb2bf2177a01c1947aec41892fb122491a2ddd"
        },
        {
            "path": "package.json",
            "sha256": "bf5e0d3dfb942600d712a6ecc0503102f468df17f41c6681a6c57107db3e81e6",
            "tlsh": "c0d0121f5dc2a05b5d89cff428b7a5b02e25026d7026c8d83a8c7c31c6d2ff6692e644"
        }
    ],
    "package_integrity": [
        {
            "filename": "workflow-postgres-setup-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-uctyOvTQdDI/XY+YTn25GzX12It3JeZIIdtkTj01P5RRYaZNnJTViqqgfYDdbOAQpk0XPtF0v61Ty1PI+lNr2A==",
                "sha1": "4349d6bd2ad0375a5acc3392e2d35c8a2b065566"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/workflow-postgres-setup/MAL-2026-5715.json"