MAL-2026-5986

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-ping-r9t2/MAL-2026-5986.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5986

Published

2026-06-17T04:41:46Z

Modified

2026-06-17T06:02:04.402964447Z

Summary

Malicious code in npm-sandbox-ping-r9t2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (335649d395a44d7de1bc6343dbce1f0459414ef92ab149413a86b47e28f3c7c3)

package.json declares a postinstall hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon14.js, beaconlinux.js) that import childprocess and http/os, run shell commands such as whoami, read process.env, process.platform, os.hostname(), os.platform(), and transmit the collected host/identity data via http.request GET/POST to a remote endpoint. The data flow (system enumeration -> outbound HTTP) and the install-time auto-execution together constitute a credential/host-info exfiltration beacon. Installer harm: any machine that runs npm install npm-sandbox-ping-r9t2 will silently execute these beacons and leak local identity/environment information to a remote endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006898",
            "import_time": "2026-06-17T05:45:43.134943187Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:41:46Z",
            "sha256": "335649d395a44d7de1bc6343dbce1f0459414ef92ab149413a86b47e28f3c7c3"
        }
    ]
}

References

https://www.npmjs.com/package/npm-sandbox-ping-r9t2/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / npm-sandbox-ping-r9t2

Package

Name: npm-sandbox-ping-r9t2; View open source insights on deps.dev
Purl: pkg:npm/npm-sandbox-ping-r9t2

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-ping-r9t2/MAL-2026-5986.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "npm-sandbox-ping-r9t2-1.0.0.tgz",
            "hashes": {
                "sha1": "6a63b5824848f5ef3ee8af466950087846e8d2f1",
                "sha512_sri": "sha512-Hi7WZLU9dvbl6vGcapqlKkKe0Yb31dNFad5ZyIZBBprbSGFRMa1HI2lCtwhTNHNmMs5iNspUUUWaX9sVkQT3bw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "beacon14.js",
            "sha256": "bb7b836d1fcdb4e22dbca9a8448c57edb9b3af8d6b4eb8d7dc312c11871771ba",
            "tlsh": "4c229806f2612d94669359b4d94a7888342ba30f5e70b9a0f7de4acc1fdc21f92709fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "248c86f0a720e5b71264093224f5f44d73e3cf503cdf632fac68792e544b5c01",
            "tlsh": "d8f08b949c306e3329d529d80c92694afa344f0b6144b9ae83bb192801dee3634bb28d"
        }
    ]
}