MAL-2026-5760

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-c5d6/MAL-2026-5760.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5760

Published

2026-06-14T07:30:46Z

Modified

2026-06-14T08:01:43.654760595Z

Summary

Malicious code in npm-sandbox-research-c5d6 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b)

The package declares a postinstall hook ("postinstall": "node run.js") that executes automatically on npm install. The shipped beacon scripts (beacon11.js, beacon_linux.js) load child_process, os, and http, read host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests carrying that data. This is the install-time host-fingerprinting and exfiltration shape: lifecycle execution + system-info collection + outbound network in a single chain, with no legitimate library functionality justifying the behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006464",
            "versions": [
                "1.0.0"
            ],
            "sha256": "e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:46Z",
            "import_time": "2026-06-14T07:43:28.135499775Z"
        },
        {
            "id": "IN-MAL-2026-006466",
            "import_time": "2026-06-14T07:43:28.280386212Z",
            "sha256": "f94e3174e59659bc3525db8886120231fe3f85edfce419c48b81f1a6f7f2c998",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:46Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-research-c5d6/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-research-c5d6

Package

Name: npm-sandbox-research-c5d6; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-research-c5d6

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "beacon11.js",
            "sha256": "f4a9ea1da339d73e682bd22b37a57ea2a1141d0953d4a461f7f25bacf237de24",
            "tlsh": "28e10821da656e647603e5a8df47a8482416f21f3930faa0b3dd548c2fdc11ec5b62fe"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "7353aab298cf717d6e7bfc5d4f4921de08d5a462ce98742188efbb2da65f309a",
            "tlsh": "3001fe44dd301c7329d42e910e538989fa348f0f9040aeae427b4538a0eee7934bb2bc"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-sandbox-research-c5d6-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Sn5gfQbYB9suuXfXqP//cKO0dBlsuXcHDY8sUhgD/T6L8pEPNLI2gIFhmKwBtG1nj76uz2OTUepVFqAm295BKQ==",
                "sha1": "b115c08d21ed96b0a221aee843a3816b2bd70702"
            }
        }
    ],
    "ips": [
        "173.255.233.239",
        "104.16.4.34",
        "10.1.0.2"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-c5d6/MAL-2026-5760.json"