MAL-2026-5781

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/portal-backend/MAL-2026-5781.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5781

Published

2026-06-15T15:10:14Z

Modified

2026-06-15T15:46:46.208223362Z

Summary

Malicious code in portal-backend (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985)

On npm install, the package's preinstall hook executes postinstall.js, which enumerates process.env and filters keys matching a broad credential-shaped regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), then bundles those values together with os.hostname(), os.userInfo().username, process.cwd(), and npm registry config into a JSON payload and POSTs it via https.request to 185.130.46.35:8443/collect — a bare IP with no relation to any publisher domain. The source even self-identifies the behavior in a comment ("Exfil CI environment variables on install"). The package itself is hollow: index.js is module.exports = {}, the description is the generic "Internal package," and the version is 999.0.0 — the canonical dependency-confusion shape designed to outrank a private registry's portal-backend and have misconfigured installers fetch this public copy instead. Installing this package on any developer or CI machine immediately ships that machine's CI secrets, deploy tokens, SSH/registry credentials, and host identity to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006489",
            "import_time": "2026-06-15T15:30:22.350801304Z",
            "source": "amazon-inspector",
            "versions": [
                "999.0.0"
            ],
            "sha256": "c5aca21d0e952f5ba313432cf5d47e41f185d19e65d894a005cce20be90d4985",
            "modified_time": "2026-06-15T15:10:14Z"
        }
    ]
}

References

https://www.npmjs.com/package/portal-backend/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / portal-backend

Package

Name: portal-backend; View open source insights on deps.dev
Purl: pkg:npm/portal-backend

Affected ranges

Affected versions

999.*

999.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/portal-backend/MAL-2026-5781.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "portal-backend-999.0.0.tgz",
            "hashes": {
                "sha1": "1eed91533028cd8339fea36166d023cf459f4228",
                "sha512_sri": "sha512-+ueeXkhLuxRf37EuHCuhuPUCkyYnoJe1JbWLPOA1E1GwtTl7bQQcLCUOsrQexVdlbvFLWti1HKj3u25gRDDKGw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2"
        },
        {
            "path": "package.json",
            "sha256": "47c9924a1947405a624eebfed9286c3acd27dca9a0de2f94b5a8c7d718a3c889",
            "tlsh": "dbc080348d1557731ccc0bd62cb38505f5b61d2f9004685857c3155483fa777486b70d"
        }
    ]
}