MAL-2026-5764
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sys-info-cli-app/MAL-2026-5764.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5764
- Published
- 2026-06-14T07:21:56Z
- Modified
- 2026-06-14T08:01:43.702496733Z
- Summary
- Malicious code in sys-info-cli-app (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1423c435a0e9e86338dd64d138fb1697580751ade2b7486880e21785e1b3eb47)
The package's collect.js gathers host identifiers (os.hostname(), os.homedir()) along with filesystem and childprocess introspection and POSTs them to a hardcoded external endpoint at http://aab.sportsontheweb.net. The destination is unrelated to any legitimate npm distribution infrastructure and the data flow has no documented purpose tied to the package's stated function. The combination of os/childprocess/fs reads with an outbound POST to an attacker-controlled domain is the canonical host-reconnaissance / exfiltration shape. Installing or loading this package causes installer host metadata to be sent off-host to a third-party server.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006454", "import_time": "2026-06-14T07:43:27.690315636Z", "sha256": "1423c435a0e9e86338dd64d138fb1697580751ade2b7486880e21785e1b3eb47", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:58Z", "versions": [ "1.0.1" ] }, { "id": "IN-MAL-2026-006455", "versions": [ "1.0.1" ], "sha256": "27dfc1e117001fe5c9c5ba1d091d3dfb7221dcba8548a0d9de5782f1ba878177", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:59Z", "import_time": "2026-06-14T07:43:27.722977593Z" }, { "id": "IN-MAL-2026-006456", "versions": [ "1.0.9" ], "sha256": "59aa09b82f37f5407f4b9f36e747cf77223ec561e131c5e6a910037d824c32ae", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:59Z", "import_time": "2026-06-14T07:43:27.756683818Z" }, { "id": "IN-MAL-2026-006452", "versions": [ "1.0.2" ], "sha256": "64659c05718995ad539dc101e0c177c8f663dce920935b1e8cf39ea11914e840", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:56Z", "import_time": "2026-06-14T07:43:27.575350736Z" }, { "id": "IN-MAL-2026-006453", "versions": [ "1.0.2" ], "sha256": "a4e883a7d23f25424d56280dc14ad8a08a163ef7c9c01b12689ae8049899a617", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:58Z", "import_time": "2026-06-14T07:43:27.64038548Z" }, { "id": "IN-MAL-2026-006457", "versions": [ "1.0.9" ], "sha256": "b3eec1fa6a56319409ac7aaf6de49d64ff54b6d70c50dfe1a8083da345e3a32d", "source": "amazon-inspector", "modified_time": "2026-06-14T07:21:59Z", "import_time": "2026-06-14T07:43:27.790539379Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / sys-info-cli-app
Package
- Name
- sys-info-cli-app
- View open source insights on deps.dev
- Purl
- pkg:npm/sys-info-cli-app
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "collect.js",
"sha256": "463735e1a5b9150efad9ef66856033363d7ffb55490e84d1bf450c0e1406ef4d",
"tlsh": "44a21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2662d09f9"
}
],
"package_integrity": [
{
"filename": "sys-info-cli-app-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-YFffdBmy2dPVUHhlB4JrDx1zi0Y9Ax8/ffv/Mo2vkcnFoUGwjOz9n5h8SVxA3ysHLWaL+A/S4mOuMePQjWOuag==",
"sha1": "0aad8a32ba5e24772315847a5d6c7fa01c9f91b9"
}
}
],
"ips": [
"104.16.1.34",
"10.1.0.2",
"104.16.10.34",
"104.16.4.34"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sys-info-cli-app/MAL-2026-5764.json"