MAL-2026-5757

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-ping-c8f2a/MAL-2026-5757.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5757

Published

2026-06-14T07:30:47Z

Modified

2026-06-14T08:01:43.779005844Z

Summary

Malicious code in npm-sandbox-ping-c8f2a (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877)

Package declares a postinstall hook ("postinstall": "node run.js" in package.json) that executes on every install. Bundled scripts beacon6.js and beacon_linux.js use require('child_process') to gather host identity (whoami, os.hostname(), os.platform()) and POST the collected data to a remote HTTP endpoint via http.request(...). The package name npm-sandbox-ping-c8f2a and the beacon-style file naming together with no legitimate library functionality indicate the install-time goal is host fingerprinting / callback to an attacker-controlled destination, not any documented purpose. Installing this package automatically transmits installer machine identity off-host.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006469",
            "versions": [
                "1.0.0"
            ],
            "sha256": "dc3d1f51ae443b062c28e4cf7f1b4203a6c5982e65f78f5dff5adf6c415b0237",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:48Z",
            "import_time": "2026-06-14T07:43:28.414770377Z"
        },
        {
            "id": "IN-MAL-2026-006468",
            "versions": [
                "1.0.0"
            ],
            "sha256": "f5401a81d56283c310efebfe29af19c3e3fa331667f40adeed71a54627adc877",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:47Z",
            "import_time": "2026-06-14T07:43:28.368084065Z"
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-ping-c8f2a/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-ping-c8f2a

Package

Name: npm-sandbox-ping-c8f2a; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-ping-c8f2a

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-ping-c8f2a/MAL-2026-5757.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "beacon6.js",
            "sha256": "53fb0be80b3bec5ea46b21b6b9eaa201afaf1401bc028ebcdbd01b08dafc4b14",
            "tlsh": "d1122a813da660b483c35dfafed7fca51221e11d81689554b5cc81ca2bc213c9b6dbdb"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "97373bd3778f35162f5d261c270ddf939eeffcc676adf3c09e471fb0521b4a83",
            "tlsh": "910123905c302c3355c12ec61c561a8af3344f4b3190bd5d86771a1c219ff74357e19c"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-sandbox-ping-c8f2a-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-QgDFRcsNUPus2nQR11dCvB6u845CncSgMadUX5Fbdv+Ikt4iIN4dBkE7f/mf9+CVMxRLRQgHrP5E3ludvDKcyQ==",
                "sha1": "db5d2aa2e07292e16e8ba0110cacfb006a71f31a"
            }
        }
    ],
    "ips": [
        "173.255.233.239",
        "104.16.7.34",
        "10.1.0.2",
        "104.16.6.34"
    ]
}