MAL-2026-5984

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nepublisher/MAL-2026-5984.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5984

Published

2026-06-17T04:23:28Z

Modified

2026-06-17T06:02:04.306405827Z

Summary

Malicious code in nepublisher (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9fc0d0609f88630f7ce36adf18c70a1d6bd3d64aaaa059a3b8ec9b97b813705a)

On npm install, lib/_init.js spawns a detached Node child process that collects host identifiers (hostname, username, cwd, IPv4 addresses, Node version, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS-POSTs the data to a hardcoded DingTalk robot webhook (oapi.dingtalk.com/robot/send) with a Chinese title meaning 'someone came online'. The script also contains explicit sandbox-evasion logic at lib/_init.js:9-12 that no-ops when the username or hostname contains 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', or 'sample' — a clear intent signal designed to hide the beacon from automated analyzers. The collected fields plus the CI/registry-focused env-name filter are the canonical dependency-confusion reconnaissance pattern: identify which organizations have pulled the package by mistake and harvest target intel for follow-on internal-package attacks.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006884",
            "import_time": "2026-06-17T05:45:42.188653548Z",
            "versions": [
                "0.4.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:23:28Z",
            "sha256": "9fc0d0609f88630f7ce36adf18c70a1d6bd3d64aaaa059a3b8ec9b97b813705a"
        }
    ]
}

References

https://www.npmjs.com/package/nepublisher/v/0.4.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nepublisher

Package

Name: nepublisher; View open source insights on deps.dev
Purl: pkg:npm/nepublisher

Affected ranges

Affected versions

0.*

0.4.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nepublisher/MAL-2026-5984.json"

indicators

{
    "package_integrity": [
        {
            "filename": "nepublisher-0.4.0.tgz",
            "hashes": {
                "sha1": "75341a009e58b257a1c068c3819633d6ccb1b842",
                "sha512_sri": "sha512-5ghcPxkKlnNPYpj+WD9GHxXbBOemLC5v0eXv96R1VXPyxXwDk16AWS/6tFaUm9YQ1hfeEHRpj1fjzYMskStWAw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/_init.js",
            "sha256": "4dce624e18ed06db3f4d3778d19bb8fda6bb70b9bb3a835031fdc3e36478f164",
            "tlsh": "f141b5e675a57638177c85c290821016da57e2223583f8e0fc2c41d61bc78fa9af293e"
        }
    ]
}