MAL-2026-5972

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/canary-ci-test/MAL-2026-5972.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5972

Published

2026-06-17T04:24:09Z

Modified

2026-06-17T06:02:01.733115813Z

Summary

Malicious code in canary-ci-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a572fd7ffa39ecc1ba62c71d1dfe31722bfbe0c4118b7ab8400c1d5f4a61ba0f)

On npm install, the package's postinstall lifecycle script (postinstall.js) collects installer-side host identifiers — os.hostname(), os.userInfo().username, process.cwd(), platform, and a DNS resolution result — and POSTs them as JSON to the hardcoded endpoint https://opgelost.nu/ (BEACON_URL declared at postinstall.js:15; HTTPS request constructed at line 31; POST issued at line 33; payload assembled at lines 58-66). The fetch fires automatically with no opt-in, and errors are silently swallowed so installers see no indication of the outbound beacon. The behavior is unrelated to any documented package purpose and matches a classic install-time phone-home exfiltration pattern. The package's own metadata declares it to be a scanner test fixture; the executed code, however, is functional exfiltration that runs against any machine that installs it.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006885",
            "import_time": "2026-06-17T05:45:42.228220723Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:24:09Z",
            "sha256": "a572fd7ffa39ecc1ba62c71d1dfe31722bfbe0c4118b7ab8400c1d5f4a61ba0f"
        }
    ]
}

References

https://www.npmjs.com/package/canary-ci-test/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / canary-ci-test

Package

Name: canary-ci-test; View open source insights on deps.dev
Purl: pkg:npm/canary-ci-test

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/canary-ci-test/MAL-2026-5972.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "canary-ci-test-1.0.0.tgz",
            "hashes": {
                "sha1": "3107caf4128ea5e046566f3b9896c76a64cb0742",
                "sha512_sri": "sha512-+e0eSadcAu4J3lb0wTwkr6JIY4hGheOj+mBI5jQVZau2i0T9o44q72eepT3ljRmo61H5qaTUcEhLWdcU3zhodA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "340b2faf0f0b89b9a7e2c3715bd154c20d6cf73c082017d83a2d27644af21f31",
            "tlsh": "0a41845a54f2b27916f3faa8950b24091263e11b7d08aca4f28c02900f4f7ac11f26ee"
        },
        {
            "path": "package.json",
            "sha256": "79787e156405d51285006f4bee73e22e8e1851f494ceae0290cd7c9c5b4fca3c",
            "tlsh": "66e02b148ea0967b34c48bad1a63805a6a26493a1244586463c79498565677708bf34f"
        }
    ]
}