MAL-2026-5800
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardstep/MAL-2026-5800.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5800
- Published
- 2026-06-15T17:30:40Z
- Modified
- 2026-06-15T19:06:36.833084423Z
- Summary
- Malicious code in boardstep (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c)
The package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On
npm install, the installer's machine fetches and silently executes an opaque attacker-controlled binary. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006635", "import_time": "2026-06-15T18:54:55.11700102Z", "versions": [ "1.1.4" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:30:45Z", "sha256": "0fe75e9b8d5e4db24bcae068f6f4a55e000043c581641e6ce78a65701f4faaa3" }, { "id": "IN-MAL-2026-006645", "import_time": "2026-06-15T18:54:55.682259738Z", "source": "amazon-inspector", "versions": [ "1.1.0" ], "modified_time": "2026-06-15T17:30:55Z", "sha256": "1c728314b118425c8e4be256314b44452198a03b9cc6e9b697fa10dc8fa8bb2a" }, { "id": "IN-MAL-2026-006641", "import_time": "2026-06-15T18:54:55.458895579Z", "source": "amazon-inspector", "versions": [ "1.0.7" ], "modified_time": "2026-06-15T17:30:48Z", "sha256": "2642f9949a070ceffd4e18fadfc9961d2588873ff4e2e866421162543d22c13c" }, { "id": "IN-MAL-2026-006644", "import_time": "2026-06-15T18:54:55.641521508Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "modified_time": "2026-06-15T17:30:50Z", "sha256": "325418ddeb8034034f4ff5434b932636adefe9d71a4b69dab8b20d4f6af2da53" }, { "id": "IN-MAL-2026-006630", "import_time": "2026-06-15T18:54:54.880809448Z", "source": "amazon-inspector", "versions": [ "1.1.2" ], "sha256": "5d193c5fa2c3acc68bf1f212f644e09ae38a98c5bc3aa64e5018289da5e70542", "modified_time": "2026-06-15T17:30:43Z" }, { "id": "IN-MAL-2026-006637", "import_time": "2026-06-15T18:54:55.237515571Z", "versions": [ "1.0.5" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:30:46Z", "sha256": "d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c" }, { "id": "IN-MAL-2026-006639", "import_time": "2026-06-15T18:54:55.356637498Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-15T17:30:47Z", "sha256": "1475dbf1ac0cdc805d7ae41c48f8edfa7a67ac5749518afb27ef1fd6d53477b4" }, { "id": "IN-MAL-2026-006634", "import_time": "2026-06-15T18:54:55.067814031Z", "source": "amazon-inspector", "versions": [ "1.1.3" ], "modified_time": "2026-06-15T17:30:44Z", "sha256": "2e24960fef479acf9380994e528fe3489caf04bcf720e2936e4f982f19ff214a" }, { "id": "IN-MAL-2026-006629", "import_time": "2026-06-15T18:54:54.846167592Z", "source": "amazon-inspector", "versions": [ "1.1.2" ], "modified_time": "2026-06-15T17:30:41Z", "sha256": "495f2962e11e2b5600a0d50d95e778b87ae4b9e88f83b9bcbf6364d16dfbb33e" }, { "id": "IN-MAL-2026-006631", "import_time": "2026-06-15T18:54:54.93895465Z", "versions": [ "1.1.0" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:30:43Z", "sha256": "7ec0920e2706acb6ad200c954aff69c563d6f45ce153e5a54b2315d433be19f9" }, { "id": "IN-MAL-2026-006636", "import_time": "2026-06-15T18:54:55.200757574Z", "source": "amazon-inspector", "versions": [ "1.1.3" ], "sha256": "b8557d825807486ccc8ae2d425fae75c052e94479a1b0a1d92538cca3ef13441", "modified_time": "2026-06-15T17:30:46Z" }, { "id": "IN-MAL-2026-006632", "import_time": "2026-06-15T18:54:55.000490371Z", "source": "amazon-inspector", "versions": [ "1.0.9" ], "modified_time": "2026-06-15T17:30:44Z", "sha256": "16d8821c5887c1c3c2e7edf779a321325f3f3af927deb2e3126bab492ad9966f" }, { "id": "IN-MAL-2026-006642", "import_time": "2026-06-15T18:54:55.491010478Z", "source": "amazon-inspector", "versions": [ "1.0.7" ], "modified_time": "2026-06-15T17:30:49Z", "sha256": "f103051c15e08c9458073d83479e72c8adb82b907555f0eb18d195aa3de38489" }, { "id": "IN-MAL-2026-006638", "import_time": "2026-06-15T18:54:55.289909381Z", "source": "amazon-inspector", "versions": [ "1.0.1" ], "modified_time": "2026-06-15T17:30:46Z", "sha256": "160b1e0a86193a1e1e473a9bf7d50420f215723a1034a35d1e6f9023a7ad80de" }, { "id": "IN-MAL-2026-006640", "import_time": "2026-06-15T18:54:55.396553058Z", "source": "amazon-inspector", "versions": [ "1.0.1" ], "sha256": "279ecefcbad0d8d01a1f4d08158093609409e96d470b9c5f15889fd241dc3ce4", "modified_time": "2026-06-15T17:30:48Z" }, { "id": "IN-MAL-2026-006628", "import_time": "2026-06-15T18:54:54.776365839Z", "source": "amazon-inspector", "versions": [ "1.0.9" ], "modified_time": "2026-06-15T17:30:40Z", "sha256": "7849155ad4026116feb6a2afac79215c1fe7af6bda263596734b377db0b6946d" }, { "id": "IN-MAL-2026-006633", "import_time": "2026-06-15T18:54:55.036076653Z", "versions": [ "1.1.4" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:30:44Z", "sha256": "c3993e27a1725891e01283df6a72ec0619f8307445b2f2e7d8f5f6a448ce38e8" }, { "id": "IN-MAL-2026-006643", "import_time": "2026-06-15T18:54:55.556882334Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "sha256": "f6ab5802a77fa85a1b0d46c70336da48abd5e43a743f1a73b85ebc54c2d1175b", "modified_time": "2026-06-15T17:30:50Z" } ] }- References
-
- https://www.npmjs.com/package/boardstep/v/1.0.7
- https://www.npmjs.com/package/boardstep/v/1.0.5
- https://www.npmjs.com/package/boardstep/v/1.1.3
- https://www.npmjs.com/package/boardstep/v/1.1.2
- https://www.npmjs.com/package/boardstep/v/1.1.0
- https://www.npmjs.com/package/boardstep/v/1.0.1
- https://www.npmjs.com/package/boardstep/v/1.0.9
- https://www.npmjs.com/package/boardstep/v/1.1.4
- https://www.npmjs.com/package/boardstep/v/1.0.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / boardstep
Package
- Name
- boardstep
- View open source insights on deps.dev
- Purl
- pkg:npm/boardstep
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardstep/MAL-2026-5800.json"
indicators
{
"package_integrity": [
{
"filename": "boardstep-1.0.7.tgz",
"hashes": {
"sha1": "c41d82e45baf5146484e6b5aed19fbde0c37686c",
"sha512_sri": "sha512-ocZkVCD6qKpaJ/VV8TZqJOSuE/5CTpO/xj3qh2nsuiiWlQKrxCHcb8qNOZTTvR9shB2b/JFaA6Alw8MNMOj8+A=="
}
}
],
"evidence_files": [
{
"path": "install.js",
"sha256": "cef7bafa9d03ddbb9b09949ff63535f27552bd82e5e000818f453c80a904b923",
"tlsh": "9a5195af4a25123486f167cd8f63a526da47c133b74147d4beac83412fb21684199ffd"
},
{
"path": "package.json",
"sha256": "74fcb39bd7bfb1c6643deeb71734a79542e322dd3285d9156c513067c1da8cb8",
"tlsh": "74f0e226ca04dd63adf84ba654168106f2161b0f51648c0b72fb421c1ba36a7804f306"
}
],
"ips": [
"216.198.79.65"
],
"domains": [
"www.pooron.org"
]
}