MAL-2026-5759

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-9c4e/MAL-2026-5759.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5759

Published

2026-06-14T07:30:42Z

Modified

2026-06-14T08:01:45.295865599Z

Summary

Malicious code in npm-sandbox-research-9c4e (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf)

On install, package.json runs node run.js via a postinstall lifecycle hook. The package ships beacon scripts (beacon9.js, beaconlinux.js) that import childprocess, os, and http, collect host identity (os.hostname(), os.platform()) and issue outbound HTTP POST/GET requests. This is the canonical install-time host beacon / command-execution shape: arbitrary code runs on the installer's machine via npm install, host fingerprints are emitted over the network, and child_process is available to execute received instructions. The package name (npm-sandbox-research-*) and shipped contents are inconsistent with any legitimate library purpose.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006458",
            "import_time": "2026-06-14T07:43:27.838238959Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-14T07:30:42Z",
            "sha256": "24c86d7d2179375f642423fc8c38f58f5740b543bacab149ba8d4cbdcd7dc4cf"
        },
        {
            "id": "IN-MAL-2026-006461",
            "import_time": "2026-06-14T07:43:27.99637514Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-14T07:30:44Z",
            "sha256": "ec025527f85ede469daba4142e2a4a93d2a2af95bc5804a7aceaf2fd270ade88"
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-research-9c4e/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-research-9c4e

Package

Name: npm-sandbox-research-9c4e; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-research-9c4e

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-9c4e/MAL-2026-5759.json"

indicators

{
    "package_integrity": [
        {
            "filename": "npm-sandbox-research-9c4e-1.0.0.tgz",
            "hashes": {
                "sha1": "85a0842b9aa3a126c7c62661857456a219a62ca8",
                "sha512_sri": "sha512-aMxLhrOlQYd9RDdZ0ByREV9klGnkcBaHMKfTGbnsDKhIQo+v45SbrcgkdsZuHjH/D5wsLgSTrqWp0Yk+ALmBgA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "beacon9.js",
            "sha256": "a581b4f7151b4d5ecc97ffca4d92e3688c18587aa8bc83f7cdab2b55c3e2fcda",
            "tlsh": "09123c81385655b897c369b9fe91fc252432e20d11b8916472cc42dd3bc6178a6bcfea"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "5eef1f040dc1ef9958e71ed97fd7684a9e70cfea735c85a5f1db69ae4a459c06",
            "tlsh": "cc01d058dc2018236ac42b990c239a85f7348f0aa180a56d5577463c50dae3e71fb15d"
        }
    ],
    "ips": [
        "173.255.233.239",
        "104.16.0.34",
        "10.1.0.2"
    ]
}