MAL-2026-5982

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-77d4/MAL-2026-5982.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5982

Published

2026-06-17T04:43:34Z

Modified

2026-06-17T06:02:03.720792160Z

Summary

Malicious code in metrics-probe-77d4 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e)

On install, package.json runs postinstall: node run.js. run.js imports os, fs, http, https, and child_process and at runtime collects host identifiers (os.hostname(), os.platform()) and reads files from the filesystem (fs.existsSync / fs.readFileSync), then issues outbound HTTP/HTTPS requests including POST calls (run.js lines 322, 329) and GET / http.get fetches (lines 38, 190). The postinstall lifecycle hook causes this code to execute automatically on npm install without consumer interaction, exposing installer host information and local file contents to attacker-controlled network destinations. The package name (random suffix -77d4) and the absence of any documented purpose are consistent with a disposable exfiltration lure rather than a legitimate library.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006902",
            "import_time": "2026-06-17T05:45:43.380174521Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:43:34Z",
            "sha256": "1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e"
        }
    ]
}

References

https://www.npmjs.com/package/metrics-probe-77d4/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / metrics-probe-77d4

Package

Name: metrics-probe-77d4; View open source insights on deps.dev
Purl: pkg:npm/metrics-probe-77d4

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-77d4/MAL-2026-5982.json"

indicators

{
    "package_integrity": [
        {
            "filename": "metrics-probe-77d4-1.0.0.tgz",
            "hashes": {
                "sha1": "615d6e0a4b868515e834d525fcb6d40d0cd65e72",
                "sha512_sri": "sha512-jl19Ah541DVC7oOlbmezYRBa43lNnpQswa3CnmsppIS34A4ZDbgfK49zGzQ3OvMJ2XQSSRfV3noVIIZQk1aVCg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "57ca0bcff5a61cb4ff7da366fc8df23e35074d39d673e3311838a34c3f52151e",
            "tlsh": "21e022189c20393369c02aaa0ca2925ba6708f1b2014396c92bb2928429bb7a747b51d"
        },
        {
            "path": "run.js",
            "sha256": "f139736230fff6fd52e561779e183eedda17ab5d3842a9ec6bad4b68c0460b00",
            "tlsh": "7362e77619f74a2439a3ea9d971fa4016423f1177a55ede0f28c76200fcf528d1a2ef8"
        }
    ]
}