MAL-2026-5799

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardflow/MAL-2026-5799.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5799

Published

2026-06-15T17:30:59Z

Modified

2026-06-15T20:31:54.318911419Z

Summary

Malicious code in boardflow (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2)

package.json declares preinstall: node install.js, which fires automatically on npm install. install.js is heavily obfuscated (obfuscator.io string-array shuffle with _0xNNNN identifiers and split-string concatenation) to hide its behavior. After deobfuscation, the script downloads https://www.pooron.org/ice.exe into the OS temp directory as tester_<randomhex>.exe, chmods it 755, and spawn-detaches it via spawn(PAYLOAD_PATH, [], {detached:true, stdio:'ignore', windowsHide:true}).unref() — using a cmd-style invocation on Windows and direct exec on macOS/Linux. A console message [boardstep] Optional dependency initialized. is printed as a cover story (note that boardstep does not match the package name boardflow). The payload domain pooron.org is not the package's publisher, the URL is mutable and unpinned, no hash or signature check is performed, and the binary is opaque. Supporting indicators of disposability: README is 0 bytes, dependencies declares a self-reference (boardflow: ^1.1.8), and the package's stated kanban purpose has no implementing code. This is a textbook install-time dropper: any developer or build system running npm install boardflow immediately executes attacker-controlled code with the installer's privileges.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006646",
            "import_time": "2026-06-15T18:54:55.747448489Z",
            "versions": [
                "1.1.4"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T17:30:59Z",
            "sha256": "44c1a2a7a8989773ff06953829afe67e6d44ac2f0ed278fd1d3b6c1095af2e3e"
        },
        {
            "id": "IN-MAL-2026-006647",
            "import_time": "2026-06-15T18:54:55.779395856Z",
            "source": "amazon-inspector",
            "versions": [
                "1.1.5"
            ],
            "sha256": "4f6871f077a9d5bd524351630a320821db83a1c9d72fce8439cac236db123dea",
            "modified_time": "2026-06-15T17:31:02Z"
        },
        {
            "id": "IN-MAL-2026-006648",
            "import_time": "2026-06-15T18:54:55.808404098Z",
            "versions": [
                "1.1.5"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T17:31:02Z",
            "sha256": "9430a740d3fd1c56d55223525f3dfeea208ccb860cc67043780367647bf28055"
        },
        {
            "id": "IN-MAL-2026-006674",
            "import_time": "2026-06-15T20:14:26.218214583Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector",
            "sha256": "3520dcd1368e2f6462e5ca772009fc9fbbd08e101939bf7d9302d05b2dd7bb5c",
            "modified_time": "2026-06-15T19:39:29Z"
        },
        {
            "id": "IN-MAL-2026-006677",
            "import_time": "2026-06-15T20:14:26.669206285Z",
            "source": "amazon-inspector",
            "versions": [
                "1.1.6"
            ],
            "sha256": "450e43eca990ae027582424755a167dcb05f5d10561ba2e6ca960cb75daf7b6d",
            "modified_time": "2026-06-15T19:39:32Z"
        },
        {
            "id": "IN-MAL-2026-006673",
            "import_time": "2026-06-15T20:14:26.134039227Z",
            "versions": [
                "1.2.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T19:39:27Z",
            "sha256": "59759162b86b7e677218f15ebde6675f9fa6e6a6acef80839219a507d229c930"
        },
        {
            "id": "IN-MAL-2026-006676",
            "import_time": "2026-06-15T20:14:26.574753975Z",
            "versions": [
                "1.1.7"
            ],
            "source": "amazon-inspector",
            "sha256": "be03976e81028345e9bef1648f70d09264024298160cb4ff2ac123c384d31831",
            "modified_time": "2026-06-15T19:39:31Z"
        },
        {
            "id": "IN-MAL-2026-006675",
            "import_time": "2026-06-15T20:14:26.368974342Z",
            "source": "amazon-inspector",
            "versions": [
                "1.1.9"
            ],
            "sha256": "f86d380601bfb580bd1337b13be24dda3c998cf9ba7fdec4c250808da3000295",
            "modified_time": "2026-06-15T19:39:30Z"
        },
        {
            "id": "IN-MAL-2026-006672",
            "import_time": "2026-06-15T20:14:25.955538126Z",
            "versions": [
                "1.1.8"
            ],
            "source": "amazon-inspector",
            "sha256": "f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2",
            "modified_time": "2026-06-15T19:39:21Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / boardflow

Package

Name: boardflow; View open source insights on deps.dev
Purl: pkg:npm/boardflow

Affected ranges

Affected versions

1.*

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.2.0

1.2.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardflow/MAL-2026-5799.json"

indicators

{
    "package_integrity": [
        {
            "filename": "boardflow-1.1.4.tgz",
            "hashes": {
                "sha1": "f033b2b163e72c13bec89fed59b09a7d5065cf0a",
                "sha512_sri": "sha512-HEi3CRFVbeV+QrPkdkdxz5DT5e0sp6MMc9kcAvTEXzylJ4Qy3ou7dTsIb7nCnSHUiHN/Pt+CpyvM7MgFc5zqcg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "install.js",
            "sha256": "556c26e2446daf0a7f7672c4f1c6e22a8971597f99e7cfb49fa8aa3dce9182aa",
            "tlsh": "a3f17349f281344663428db7fa3b69c4c57a988c3e840943d3547d90fb66322dbd76ba"
        },
        {
            "path": "package.json",
            "sha256": "c795ff92e91ffe6bb98097bac49685d7feecaf2162623bbe0054615f0fefc225",
            "tlsh": "b5f0e92aca1cdc57a9f406a554258646f1061f1f01714c0f31f3931c4fb2b63809f70a"
        }
    ],
    "ips": [
        "64.29.17.1"
    ],
    "domains": [
        "www.pooron.org"
    ]
}