MAL-2026-5983

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-dc85/MAL-2026-5983.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5983

Published

2026-06-17T04:43:32Z

Modified

2026-06-17T06:02:04.152394926Z

Summary

Malicious code in metrics-probe-dc85 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (aaa3316d23c1a348fb5c68a36eb775ca51f90d0e44973508dd5a8ba5a139e932)

On install, package.json declares postinstall: node run.js, which auto-executes run.js when the package is installed. run.js imports os, fs, http, https, and child_process, collects host identity via os.hostname() and os.platform(), reads from the local filesystem, and POSTs the gathered data over HTTP/HTTPS. The combination of automatic install-time execution, host-identity enumeration, filesystem reads, and outbound POST traffic is the canonical install-time host-fingerprinting / exfiltration pattern. Installing this package causes the installer's machine identity and local file content to be sent to a remote endpoint without consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006901",
            "import_time": "2026-06-17T05:45:43.32856638Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:43:32Z",
            "sha256": "aaa3316d23c1a348fb5c68a36eb775ca51f90d0e44973508dd5a8ba5a139e932"
        }
    ]
}

References

https://www.npmjs.com/package/metrics-probe-dc85/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / metrics-probe-dc85

Package

Name: metrics-probe-dc85; View open source insights on deps.dev
Purl: pkg:npm/metrics-probe-dc85

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metrics-probe-dc85/MAL-2026-5983.json"

indicators

{
    "package_integrity": [
        {
            "filename": "metrics-probe-dc85-1.0.0.tgz",
            "hashes": {
                "sha1": "81c5e59669a19edd79c104307b88b549a15669e7",
                "sha512_sri": "sha512-DVj+031zjjV6CvgatXq8PvfAimJx5/cIpYmFBpd49sDH1SbYkRymQ+D3MxU1WVB+d4eQ1MI7KcAxZEQBnjjRsg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "d259ff93415b03847c023e1c0b60f7c32d65ea2bc4cc4ec5f47d7acda55e8348",
            "tlsh": "bde06858dc20393339c02aa90ca6925bb7308f0f30147d2c93bb282842dbb7ab47b15d"
        },
        {
            "path": "run.js",
            "sha256": "526fd9567f5f6db16ba07f2f2358b4ed5e7af9493951cd838a6f876a624302f9",
            "tlsh": "4a62e87519f74a2439a3eaad975fa4016423f1177a51eda0f28c77200fcf528d1a2ef8"
        }
    ]
}