MAL-2026-5733
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-app-doctor/MAL-2026-5733.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5733
- Published
- 2026-06-13T06:58:16Z
- Modified
- 2026-06-13T07:31:42.240535378Z
- Summary
- Malicious code in node-app-doctor (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e)
collect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns childprocess commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, childprocess), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006316", "versions": [ "1.0.9" ], "sha256": "2672da84038326aef670f6e4b5276bc4d1a2f678d986f0a422858bac2a39f6b5", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:30Z", "import_time": "2026-06-13T07:25:39.268133377Z" }, { "id": "IN-MAL-2026-006315", "versions": [ "1.0.2" ], "sha256": "a36bb51486017eff5ce97b5a6c916f6140e0dd1cbfe3f2686bbeb97c03995395", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:27Z", "import_time": "2026-06-13T07:25:39.202479907Z" }, { "id": "IN-MAL-2026-006312", "import_time": "2026-06-13T07:25:39.005814391Z", "sha256": "a675df3cebba84e131f74db241a485e0eea07d89837e6fb9d91aac2342713f08", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:16Z", "versions": [ "1.0.1" ] }, { "id": "IN-MAL-2026-006313", "versions": [ "1.0.9" ], "sha256": "addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:26Z", "import_time": "2026-06-13T07:25:39.077141852Z" }, { "id": "IN-MAL-2026-006311", "import_time": "2026-06-13T07:25:38.924501166Z", "sha256": "bb98b7bd393ae33a610f2cb95e294878050d42ba2757be857c34e8a411bfec3a", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:16Z", "versions": [ "1.0.1" ] }, { "id": "IN-MAL-2026-006314", "import_time": "2026-06-13T07:25:39.154074292Z", "sha256": "9c131ec8f08bea5eecdaa826ff4a17588c61dc432ca61ef3658dbe0e6b4aebe8", "source": "amazon-inspector", "modified_time": "2026-06-13T06:58:26Z", "versions": [ "1.0.2" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / node-app-doctor
Package
- Name
- node-app-doctor
- View open source insights on deps.dev
- Purl
- pkg:npm/node-app-doctor
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "collect.js",
"sha256": "57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8",
"tlsh": "cea21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2663d09f9"
}
],
"package_integrity": [
{
"filename": "node-app-doctor-1.0.9.tgz",
"hashes": {
"sha512_sri": "sha512-0OZN1ofsvbcYrfcLOauNKnl/30gkF2Ey2bQ9tB2It3KpHrBv3N01jIbBmnzshG/+LxP3L5FSoowFcfJrv9PRBw==",
"sha1": "9c1bb5f4c3290e2b503cd1b75236077e895d1f40"
}
}
],
"ips": [
"104.16.8.34",
"10.1.0.2"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-app-doctor/MAL-2026-5733.json"