MAL-2026-5782

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/token-prices-cron/MAL-2026-5782.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5782

Published

2026-06-15T15:09:45Z

Modified

2026-06-15T15:46:46.377657349Z

Summary

Malicious code in token-prices-cron (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d)

On npm install, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), and bundles them with hostname, username, cwd, and npm registry/prefix metadata. The collected payload is POSTed over the network to a hardcoded bare IP at 185.130.46.35:8443 — no domain, no TLS verification context, no documented purpose. The package itself is a hollow shell: index.js is module.exports = {}, the description is 'Internal package', and the version is 999.0.0 — the canonical dependency-confusion shape designed to win resolution against a private-registry package of the same name and trigger the credential harvester on corporate build machines. A source comment confirms intent ('Exfil CI environment variables on install').

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006488",
            "import_time": "2026-06-15T15:30:22.236685127Z",
            "source": "amazon-inspector",
            "versions": [
                "999.0.0"
            ],
            "modified_time": "2026-06-15T15:09:45Z",
            "sha256": "10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d"
        }
    ]
}

References

https://www.npmjs.com/package/token-prices-cron/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / token-prices-cron

Package

Name: token-prices-cron; View open source insights on deps.dev
Purl: pkg:npm/token-prices-cron

Affected ranges

Affected versions

999.*

999.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/token-prices-cron/MAL-2026-5782.json"

indicators

{
    "package_integrity": [
        {
            "filename": "token-prices-cron-999.0.0.tgz",
            "hashes": {
                "sha1": "51adffb553e2f3a7c8e084d1fbe01fb23c3062ba",
                "sha512_sri": "sha512-kgvVSiTU8lSJCnloKwtJphtiSkWoL1bGamb2R+E8HgOhC6Qv45p39Lr6Ev2jjT1p0AaPDe8AdzXN31wVsAnX6g=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2"
        },
        {
            "path": "package.json",
            "sha256": "d8ab6665415cb285e69ab885ed074b75b04e9e3226e749f0ea6f0ad3077d8cb7",
            "tlsh": "f8c080348d255f7318c40bd565a3860576f21d3b5144785857c3149443ef77748bb71e"
        }
    ]
}