MAL-2026-5981

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-64b2/MAL-2026-5981.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5981

Published

2026-06-17T04:43:39Z

Modified

2026-06-17T06:02:03.697527022Z

Summary

Malicious code in metrics-probe-64b2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cae901b673ee21724897f69c782eb2808c55c2722bacc9912a4a3e60f7019883)

package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on every npm install. run.js imports os, fs, http, https, and child_process, reads host identifiers including os.hostname() and os.platform(), reads files from disk via fs.readFileSync, and issues outbound HTTP POST requests carrying that data. The package's stated name ("metrics-probe") with a random hex suffix, combined with an install-time host-fingerprinting beacon and no library functionality, matches the shape of an installer-side reconnaissance / data-exfiltration payload that fires automatically on npm install without any user action.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006903",
            "import_time": "2026-06-17T05:45:43.436678696Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "sha256": "cae901b673ee21724897f69c782eb2808c55c2722bacc9912a4a3e60f7019883",
            "modified_time": "2026-06-17T04:43:39Z"
        }
    ]
}

References

https://www.npmjs.com/package/metrics-probe-64b2/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / metrics-probe-64b2

Package

Name: metrics-probe-64b2; View open source insights on deps.dev
Purl: pkg:npm/metrics-probe-64b2

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-64b2/MAL-2026-5981.json"

indicators

{
    "package_integrity": [
        {
            "filename": "metrics-probe-64b2-1.0.0.tgz",
            "hashes": {
                "sha1": "05da68666682b5f54ac1c79cb43131de84422dd1",
                "sha512_sri": "sha512-dFEyLdnMOdjFB+7NIEJddYO+Dr91b+Dnu4yy/Wok0ExOIJcDGT1iMAI3u1hEiD6hmt/d9G5N112w0yUrCjSo0g=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "517355c5fb8b2974eaff6eda9f8496683d0faa96775112a5bd6312903fcf19e9",
            "tlsh": "1fe02b189c20393365c41aa90c919257a6304f1b2014391c53772428429bb79747b11d"
        },
        {
            "path": "run.js",
            "sha256": "8f47628c7cee00cb7f15df58acb59752085d8cc79735cf65dc51e3c6d57d8b1b",
            "tlsh": "7762f87619f74a2439a3ea9d971fa4016423f1077a51eda0f28c72200fcf528d1b2ef8"
        }
    ]
}