MAL-2026-5758

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-8b2f/MAL-2026-5758.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5758

Published

2026-06-14T07:30:46Z

Modified

2026-06-14T08:01:43.812803427Z

Summary

Malicious code in npm-sandbox-research-8b2f (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b)

On install, package.json runs postinstall: node run.js, which loads beacon scripts (beacon8.js, beaconlinux.js) that import childprocess, os, and http, gather host identity (output of whoami, os.hostname(), os.platform()), and POST the collected data to a hardcoded HTTP endpoint via http.request(...). This fires automatically on npm install, providing attacker-controlled reconnaissance of every installer host with no user interaction. The behavior — privileged shell command execution, host identity collection, and outbound HTTP POST from a postinstall hook — matches the active-attack reconnaissance/beacon fingerprint.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006467",
            "import_time": "2026-06-14T07:43:28.307281062Z",
            "sha256": "5119ca2a37c8be102cacd11eec20c77cbe1ac35d0de988a98180b3ae9b1167da",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:47Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-006465",
            "versions": [
                "1.0.0"
            ],
            "sha256": "916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:46Z",
            "import_time": "2026-06-14T07:43:28.187416868Z"
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-research-8b2f/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-research-8b2f

Package

Name: npm-sandbox-research-8b2f; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-research-8b2f

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "beacon8.js",
            "sha256": "0874fbbbe2982033da12289f4572ca58238c3a92bf4ca4216fdcde795d690182",
            "tlsh": "6652f941397b17e496d329d6fefbed212053e10e2698a494b2cc824d2fcc12c5669bdb"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "5a3ed53288ccbc529ccb3f3c01c97c24e9ad53098c4f5526700bc06008fbd72a",
            "tlsh": "a7011014ac2028335dc12be60c666545f7308f0b9040ba5d42bb862851eef7931bb04c"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-sandbox-research-8b2f-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-HBUJBD0Y1Rp6DuUapNxM07t1FhZ7+nuiY1ckvOUwBvdRoB7Wl+bNVP+uKPuz0+iJwIyTXrIDYmOZhg4UTQLi6g==",
                "sha1": "b3d971a27fe24ce69038036a2b233276f75a68d0"
            }
        }
    ],
    "ips": [
        "173.255.233.239",
        "104.16.9.34",
        "10.1.0.2"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-8b2f/MAL-2026-5758.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]