MAL-2026-5857

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/event-metrics-q3x7/MAL-2026-5857.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5857

Published

2026-06-16T02:14:05Z

Modified

2026-06-16T02:31:45.519586496Z

Summary

Malicious code in event-metrics-q3x7 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8)

On install, package.json runs a postinstall hook (node run.js) that triggers beacon scripts (beacon20.js, beaconlinux.js) shipped in the tarball. The beacons load child_process, os, https, and http, gather host fingerprints (os.hostname(), os.platform(), process.platform, process.env) and command output via exec(...), and transmit the data outbound — beaconlinux.js issues an http.request(...) POST containing host details, while beacon20.js performs https.request(...) calls including requests against the Azure management API endpoint. There is no advertised purpose that justifies a host-info beacon firing automatically at install time, and the data collected (env vars, hostname, platform, command output) is classic installer-side reconnaissance and credential-surface telemetry. Installing this package executes the beacon on npm install and leaks installer-machine information to the embedded destinations.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006734",
            "import_time": "2026-06-16T02:23:11.889444323Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.2"
            ],
            "sha256": "38481a7b69f79e37a538047118a05881f29da308c683571c5ab230b5288663c0",
            "modified_time": "2026-06-16T02:14:09Z"
        },
        {
            "id": "IN-MAL-2026-006733",
            "import_time": "2026-06-16T02:23:11.849620402Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-16T02:14:09Z",
            "sha256": "fa01dc0bbee924d7db5aba6916490bc9202963bfd27c1fc558c19597f1e32f55"
        },
        {
            "id": "IN-MAL-2026-006731",
            "import_time": "2026-06-16T02:23:11.761049598Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.7"
            ],
            "modified_time": "2026-06-16T02:14:07Z",
            "sha256": "8431eba424b46c8f132b5cf8e65e88f79e227dcf22482b8ab2d23a144f81fc8a"
        },
        {
            "id": "IN-MAL-2026-006737",
            "import_time": "2026-06-16T02:23:12.019267395Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.8"
            ],
            "modified_time": "2026-06-16T02:14:13Z",
            "sha256": "9059fcd730d26d7cc5542c4d80eb7e1abd89e51f253ffe4a97adfce0345a01ba"
        },
        {
            "id": "IN-MAL-2026-006735",
            "import_time": "2026-06-16T02:23:11.930944117Z",
            "versions": [
                "1.0.3"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T02:14:10Z",
            "sha256": "9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8"
        },
        {
            "id": "IN-MAL-2026-006732",
            "import_time": "2026-06-16T02:23:11.821877208Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.5"
            ],
            "modified_time": "2026-06-16T02:14:07Z",
            "sha256": "aad86da9d58e69db4eb1e7bf9a63166f6f11da09a012a41c2a76c99add3e3fd0"
        },
        {
            "id": "IN-MAL-2026-006729",
            "import_time": "2026-06-16T02:23:11.643072088Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.4"
            ],
            "modified_time": "2026-06-16T02:14:05Z",
            "sha256": "b20773f0af359b4191d9b4718f7b8d984d5c9fca236ebd8ce151e487554b8aea"
        },
        {
            "id": "IN-MAL-2026-006736",
            "import_time": "2026-06-16T02:23:11.981672505Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-16T02:14:11Z",
            "sha256": "ba5124f00c898366c83713400b6d4d03d01a94d927830248026bb49db66fb1ff"
        },
        {
            "id": "IN-MAL-2026-006730",
            "import_time": "2026-06-16T02:23:11.706793857Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.6"
            ],
            "modified_time": "2026-06-16T02:14:06Z",
            "sha256": "e3474ad4e933b73f874c39c9728accc1028c4a152768e218f2434c8a45057843"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / event-metrics-q3x7

Package

Name: event-metrics-q3x7; View open source insights on deps.dev
Purl: pkg:npm/event-metrics-q3x7

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/event-metrics-q3x7/MAL-2026-5857.json"

indicators

{
    "package_integrity": [
        {
            "filename": "event-metrics-q3x7-1.0.2.tgz",
            "hashes": {
                "sha1": "be779559c7c8f86af296faca4bc9e414847e3983",
                "sha512_sri": "sha512-83+n1zO+RagN1tvft+4yaUAFsPxAlU0J+1E1OtjCc5JDHPU6oJPCIOB+FWCIEGBRacuzFVEXN+L8GAr0f9YThQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "beacon19.js",
            "sha256": "27bd36039ac1ff44ef58fe302f7b7ef6a0316de806c379d6fcf170b35f678525",
            "tlsh": "df02b571e8215c247592d5ad8a0b941a3137b3173a61fda0bb8e708c2fce19ec2764fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "765d9ac3194d4ce74676a87370c4ce35e59522ddb49d50c2e18af64bb0705815",
            "tlsh": "35f09e449c302d3359c52ed80c619989f6344f0b60547d2d427b1d2841dee7930be15d"
        }
    ]
}