MAL-2026-5741
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@achuthvp/postinstall-poc/MAL-2026-5741.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5741
- Published
- 2026-06-13T20:24:46Z
- Modified
- 2026-06-13T20:46:41.519843531Z
- Summary
- Malicious code in @achuthvp/postinstall-poc (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9)
package.json declares scripts.postinstall =
node postinstall.js. On everynpm install, postinstall.js runsexecSync('id')and POSTs a JSON body containing theidoutput,os.hostname(), platform, architecture,process.cwd(), and Node version to the hardcoded URLhttps://webhook.site/fceebb0d-9f11-4ac0-98db-6f6b3925f7d3(postinstall.js line 14, exfil call constructed viahttps.requestat line 21 with POST at line 24). The behavior is unconditional, undisclosed in the README (Does nothing much), and fires on a default install. Although the package self-describes as a POC, the install-time mechanism is identical to an active reconnaissance/exfiltration payload: any developer or CI machine installing this package leaks its identity (uid/gid/groups viaid, hostname, cwd, platform) to an attacker-readable webhook bin. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006379", "versions": [ "1.0.2" ], "sha256": "8a5c98a52f068d49b6fbdf96d76a24df1f7807c41e53ab75d6270ca0ce64fb1a", "source": "amazon-inspector", "modified_time": "2026-06-13T20:24:47Z", "import_time": "2026-06-13T20:33:18.941844057Z" }, { "id": "IN-MAL-2026-006381", "versions": [ "1.0.3" ], "sha256": "91e690492c565ad314bb15d92061ec65f0f5a6622e3b20d9c4acf3170df13ac5", "source": "amazon-inspector", "modified_time": "2026-06-13T20:24:52Z", "import_time": "2026-06-13T20:33:18.994590214Z" }, { "id": "IN-MAL-2026-006378", "import_time": "2026-06-13T20:33:18.916329426Z", "sha256": "972fb1c4637e2b6b3d0ed4a3d24b0f5a91fe190baf271328278eb756c9611e36", "source": "amazon-inspector", "modified_time": "2026-06-13T20:24:46Z", "versions": [ "1.0.2" ] }, { "id": "IN-MAL-2026-006380", "import_time": "2026-06-13T20:33:18.970252282Z", "sha256": "c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9", "source": "amazon-inspector", "modified_time": "2026-06-13T20:24:52Z", "versions": [ "1.0.3" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @achuthvp/postinstall-poc
Package
- Name
- @achuthvp/postinstall-poc
- View open source insights on deps.dev
- Purl
- pkg:npm/%40achuthvp%2Fpostinstall-poc
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@achuthvp/postinstall-poc/MAL-2026-5741.json"
indicators
{
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "97ad818370207f92d58a2e9981e90fd5616b34c61cf5a2e09c4f78e187767fc5",
"tlsh": "cb41674946f6a1741ab3bd9c936755066262c2173d04fcb8be4d0a601f4fa7c51f07ed"
}
],
"package_integrity": [
{
"filename": "postinstall-poc-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-fTMzJ3V5X+66LuzDJyEOn1ryhrHusageUxt2Cemec7p6fP7cDU4jAEyTr6dK8xSPVZsGSBPSIL+J4a8BFDyb2A==",
"sha1": "74c7ef7b1935a2f527bd7c97d666202c49088c7c"
}
}
],
"ips": [
"104.16.0.34",
"10.1.0.2"
],
"domains": [
"webhook.site"
]
}