MAL-2026-5723

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ci-lifecycle-test/postinstall-ping/MAL-2026-5723.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5723

Published

2026-06-13T02:10:32Z

Modified

2026-06-13T02:31:43.674041705Z

Summary

Malicious code in @ci-lifecycle-test/postinstall-ping (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509)

The package's postinstall lifecycle script (postinstall.js) executes automatically on npm install and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with .catch(() => {}) so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUBTOKEN, NPMTOKEN, AWSACCESSKEYID/SECRETACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006274",
            "versions": [
                "1.0.0"
            ],
            "sha256": "47c5e4ee38e9d87c1968c83d8998cb9832d2e72445558ac35217671f1f61d64b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T02:10:33Z",
            "import_time": "2026-06-13T02:23:23.363417093Z"
        },
        {
            "id": "IN-MAL-2026-006273",
            "versions": [
                "1.0.0"
            ],
            "sha256": "75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T02:10:32Z",
            "import_time": "2026-06-13T02:23:23.251089716Z"
        }
    ]
}

References

https://www.npmjs.com/package/@ci-lifecycle-test/postinstall-ping/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @ci-lifecycle-test/postinstall-ping

Package

Name: @ci-lifecycle-test/postinstall-ping; View open source insights on deps.dev
Purl: pkg:npm/%40ci-lifecycle-test%2Fpostinstall-ping

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "dad59be901002b66c9c41859bbccaf0c8c123707b28b67620f89db9af30bff3a",
            "tlsh": "e3c02b6f110f46001d91d78430b0070dc3138b038bc25ce803e044c43f8da78041a0fc"
        }
    ],
    "package_integrity": [
        {
            "filename": "postinstall-ping-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-9YeAUD2R5/KnxUN4MW340/q4dSb0P/CQ4LTYW9R3/v2Ad2DwEsZpPMx5xC4ROlzZtN7q5kk/G+AIEw0F46eHPg==",
                "sha1": "8af802df25614422c3dcc1a94f7e6db260e8e04e"
            }
        }
    ],
    "ips": [
        "10.1.0.2",
        "54.164.250.243",
        "104.16.0.34"
    ],
    "domains": [
        "eoarlb39lor5s7x.m.pipedream.net"
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ci-lifecycle-test/postinstall-ping/MAL-2026-5723.json"