MAL-2026-5761

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-d7e8/MAL-2026-5761.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5761

Published

2026-06-14T07:30:44Z

Modified

2026-06-14T08:01:43.670095438Z

Summary

Malicious code in npm-sandbox-research-d7e8 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3ff31cbf7e2e36cef422933472638912cd6ee6652ece9b03d11faa98b70d13e9)

Package declares a postinstall lifecycle hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon12.js, beaconlinux.js) that import childprocess, os, and http, collect host identifiers via os.hostname() and os.platform(), and issue outbound HTTP GET/POST requests via http.request() carrying that data off-host. The combination of automatic install-time execution, host enumeration, and unconditional outbound HTTP to non-registry endpoints is a host-beacon / exfiltration pattern that runs on any developer or CI machine that runs npm install against this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006463",
            "versions": [
                "1.0.0"
            ],
            "sha256": "3ed7c80bf46b2b23909b8bb0cbb44d13faf2ebefa1a37f612298273b1dc0031f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:45Z",
            "import_time": "2026-06-14T07:43:28.093375174Z"
        },
        {
            "id": "IN-MAL-2026-006462",
            "import_time": "2026-06-14T07:43:28.050813403Z",
            "sha256": "3ff31cbf7e2e36cef422933472638912cd6ee6652ece9b03d11faa98b70d13e9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:44Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-research-d7e8/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-research-d7e8

Package

Name: npm-sandbox-research-d7e8; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-research-d7e8

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "beacon12.js",
            "sha256": "42f2ec6bf5db4c6c627e3f727620da58f0d25c29def1ac1e4cd43d48a13e9b9e",
            "tlsh": "d2e1e921d9591d647502dae9ee07e8583017e21f6830fa60b7dd548c2fdc01e85f66fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "96437f37c17238ae8cfd37e39fb2194a63072d8950f1da5110cfb7ec85d8f462",
            "tlsh": "a0f0dd949d20583355c02ee60d669959f730cf0f9040ba6d127b493891dfe7931bb11c"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-sandbox-research-d7e8-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-TF8YyCXwAFZjJMK8Qjf+scmBAiwsb6csL6UBepHP2CgXlUsbzRqVry6tzhQM5AmP8IkrPvp1bGiPoJwNPft/Pg==",
                "sha1": "84a7b5f590990957cb12a758f3df8232a57d8f65"
            }
        }
    ],
    "ips": [
        "173.255.233.239",
        "104.16.7.34"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-d7e8/MAL-2026-5761.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]