MAL-2026-5763

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-g3h4/MAL-2026-5763.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5763

Published

2026-06-14T07:30:43Z

Modified

2026-06-14T08:01:43.783810237Z

Summary

Malicious code in npm-sandbox-research-g3h4 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a)

On install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beaconlinux.js, which import childprocess, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006459",
            "versions": [
                "1.0.0"
            ],
            "sha256": "5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:43Z",
            "import_time": "2026-06-14T07:43:27.919292174Z"
        },
        {
            "id": "IN-MAL-2026-006460",
            "import_time": "2026-06-14T07:43:27.965136848Z",
            "sha256": "6df6ab545cb5891153281962879a70b15df1e9e9fb6e404ca7c9dc33e773dfab",
            "source": "amazon-inspector",
            "modified_time": "2026-06-14T07:30:43Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-research-g3h4/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-research-g3h4

Package

Name: npm-sandbox-research-g3h4; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-research-g3h4

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "beacon15.js",
            "sha256": "b15b7345d68f1ae807f297406c204efb63f92bb3597cf507fc508110bc99b267",
            "tlsh": "9602a515f2a46d90539294b8da4ab448242b921f7d21bde0b7cf06dc2fec65e92309fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "976f408116bd10045ba22f9f5fb834fd3083f189e56dae5844782401b6d5c180",
            "tlsh": "53f002045c202c332ae43aa90c51ac8db630cf175050b91d437f593c42def3931bb24c"
        }
    ],
    "package_integrity": [
        {
            "filename": "npm-sandbox-research-g3h4-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-XxXz9st8vXy6jOyRjeTDcat/on9hh0T2MJttwBThTSaxvhAv76j+UPgJcnU1MtvRSAp8FsCvs29QEV3Nm7qE1Q==",
                "sha1": "71071e5c31050ddfe4f42d6abe24f9f0731c117c"
            }
        }
    ],
    "ips": [
        "173.255.233.239",
        "10.1.0.2",
        "104.16.2.34",
        "104.16.7.34",
        "104.16.5.34"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-g3h4/MAL-2026-5763.json"