MAL-2026-5738

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postinstall-logger-7x9z/MAL-2026-5738.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5738

Published

2026-06-13T07:15:46Z

Modified

2026-06-13T07:31:42.405879838Z

Summary

Malicious code in postinstall-logger-7x9z (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e)

On install, package.json's postinstall hook ("postinstall": "node run.js") triggers execution of bundled beacon scripts (beacon15.js and beaconlinux.js). These scripts pull in childprocess, os, and http modules and issue outbound HTTP GET/POST requests carrying host identifiers including os.hostname() and os.platform(). The combination of automatic execution at install time, host-information collection, and outbound HTTP requests to a hardcoded destination is the canonical install-time exfiltration beacon shape. Any developer or CI system running npm install for this package will silently leak host data and execute code from the bundled scripts under the installing user's privileges.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006339",
            "versions": [
                "1.0.0"
            ],
            "sha256": "6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:15:46Z",
            "import_time": "2026-06-13T07:25:41.036314332Z"
        },
        {
            "id": "IN-MAL-2026-006340",
            "versions": [
                "1.0.0"
            ],
            "sha256": "7bd01e5566ec604864f993b9387139fdf2145f9f9ffbb9a255e1a9947441a454",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:15:47Z",
            "import_time": "2026-06-13T07:25:41.1120905Z"
        }
    ]
}

References

https://www.npmjs.com/package/postinstall-logger-7x9z/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / postinstall-logger-7x9z

Package

Name: postinstall-logger-7x9z; View open source insights on deps.dev
Purl: pkg:npm/postinstall-logger-7x9z

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "beacon15.js",
            "sha256": "b15b7345d68f1ae807f297406c204efb63f92bb3597cf507fc508110bc99b267",
            "tlsh": "9602a515f2a46d90539294b8da4ab448242b921f7d21bde0b7cf06dc2fec65e92309fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "2a7d836cda57c9cc3da4ab92bba038ba74a5c966b64f408da9c74903ec6f2c2a",
            "tlsh": "d2f081549d306d336ac03aa80d519d4afa358f0a6140395d82bb192c019fe7930bb26d"
        }
    ],
    "package_integrity": [
        {
            "filename": "postinstall-logger-7x9z-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-rzjumtVEUtiJk0cHCdq/GowbmlHDjm5lpxbm4UEghruVShk3xzjEWIUPRVApNEWCljsOod6yXEBJJSQYKc4NyQ==",
                "sha1": "4eb3dfab06f56f14dca3db811070f8c0a6d6fcae"
            }
        }
    ],
    "ips": [
        "104.16.9.34",
        "10.1.0.2",
        "173.255.233.239"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/postinstall-logger-7x9z/MAL-2026-5738.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]