-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (node postinstall.js || true) executes automatically. The script collects hostname, username, and current working directory, then iterates process.env and filters keys matching the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i, capturing CI tokens, SSH keys, deploy credentials, cloud API keys, RPC/wallet secrets, and similar. The collected JSON payload is POSTed via https.request to the hardcoded bare IP 185.130.46.35:8443/collect. The package metadata reinforces the attack shape: version 999.0.0 and description "Internal package" are the canonical dependency-confusion pattern, intended to override an organization's internal vaults-monitor-cron package. The || true suffix on the preinstall command swallows errors so the install appears to succeed silently. There is no legitimate functionality in the package — its sole on-install effect is credential exfiltration.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-15T15:09:40Z",
"id": "IN-MAL-2026-006487",
"source": "amazon-inspector",
"import_time": "2026-06-15T15:30:22.11148159Z",
"sha256": "b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923",
"versions": [
"999.0.0"
]
}
]
}{
"evidence_files": [
{
"path": "postinstall.js",
"tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2",
"sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3"
},
{
"path": "package.json",
"tlsh": "49c022348c16963318c4078124a2800565b20c2f2000a81807c3289002ee732086b20d",
"sha256": "566970a592386fdfeaa4ebac1538194ac647fe2ace1394d2a20381e1cddca4f7"
}
],
"package_integrity": [
{
"filename": "vaults-monitor-cron-999.0.0.tgz",
"hashes": {
"sha1": "81972ef389dc5a799ead8c67e2295639b19ee60f",
"sha512_sri": "sha512-Mi05MrjD5JtaDpL6OgXPBGjNKXVidwX8a2b+Mhv37uVfrRyDiO/qQ7m4PuRfqNxTqcIq3vrXW7vlOWY0IxtAWg=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vaults-monitor-cron/MAL-2026-5784.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]