MAL-2026-5784

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vaults-monitor-cron/MAL-2026-5784.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5784

Published

2026-06-15T15:09:40Z

Modified

2026-06-15T15:46:46.833771360Z

Summary

Malicious code in vaults-monitor-cron (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923)

On npm install, the package's preinstall hook (node postinstall.js || true) executes automatically. The script collects hostname, username, and current working directory, then iterates process.env and filters keys matching the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i, capturing CI tokens, SSH keys, deploy credentials, cloud API keys, RPC/wallet secrets, and similar. The collected JSON payload is POSTed via https.request to the hardcoded bare IP 185.130.46.35:8443/collect. The package metadata reinforces the attack shape: version 999.0.0 and description "Internal package" are the canonical dependency-confusion pattern, intended to override an organization's internal vaults-monitor-cron package. The || true suffix on the preinstall command swallows errors so the install appears to succeed silently. There is no legitimate functionality in the package — its sole on-install effect is credential exfiltration.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:09:40Z",
            "versions": [
                "999.0.0"
            ],
            "id": "IN-MAL-2026-006487",
            "import_time": "2026-06-15T15:30:22.11148159Z"
        }
    ]
}

References

https://www.npmjs.com/package/vaults-monitor-cron/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vaults-monitor-cron

Package

Name: vaults-monitor-cron; View open source insights on deps.dev
Purl: pkg:npm/vaults-monitor-cron

Affected ranges

Affected versions

999.*

999.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vaults-monitor-cron/MAL-2026-5784.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2",
            "path": "postinstall.js"
        },
        {
            "sha256": "566970a592386fdfeaa4ebac1538194ac647fe2ace1394d2a20381e1cddca4f7",
            "tlsh": "49c022348c16963318c4078124a2800565b20c2f2000a81807c3289002ee732086b20d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Mi05MrjD5JtaDpL6OgXPBGjNKXVidwX8a2b+Mhv37uVfrRyDiO/qQ7m4PuRfqNxTqcIq3vrXW7vlOWY0IxtAWg==",
                "sha1": "81972ef389dc5a799ead8c67e2295639b19ee60f"
            },
            "filename": "vaults-monitor-cron-999.0.0.tgz"
        }
    ]
}