MAL-2026-5990

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pkg-telemetry-r4f9/MAL-2026-5990.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5990

Published

2026-06-17T04:42:06Z

Modified

2026-06-17T06:02:05.044360752Z

Summary

Malicious code in pkg-telemetry-r4f9 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e)

On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine childprocess, os, and http modules to collect host identifiers and send them to a remote endpoint. beaconlinux.js reads os.hostname() and os.platform() and issues an http.request POST carrying that data to a hardcoded host. beacon17.js similarly imports childprocess and performs outbound HTTP GETs. The package name ("pkg-telemetry-r4f9" with a random-looking suffix) and its install-time-only behavior are inconsistent with any legitimate library purpose. Installing this package causes automatic, unconsented exfiltration of installer host metadata and provides a remote-execution surface via childprocess.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006900",
            "import_time": "2026-06-17T05:45:43.258644597Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:42:06Z",
            "sha256": "decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e"
        }
    ]
}

References

https://www.npmjs.com/package/pkg-telemetry-r4f9/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / pkg-telemetry-r4f9

Package

Name: pkg-telemetry-r4f9; View open source insights on deps.dev
Purl: pkg:npm/pkg-telemetry-r4f9

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pkg-telemetry-r4f9/MAL-2026-5990.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "pkg-telemetry-r4f9-1.0.0.tgz",
            "hashes": {
                "sha1": "0dc346a212c3dd335b6ce0463c80986291547617",
                "sha512_sri": "sha512-iTRxnWCbtV4C0Ipi9vkgIOQVcQao2wBMqvtF3GtqiB43h0FCv2VepKgp6fojY0ky+vjbUpZGaXZcFEdeT4gaXg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "beacon17.js",
            "sha256": "14bcafbb9a20038cbb57a72837cb4c4ef2d841739ae4bca23a9784ef6c4a71c2",
            "tlsh": "f6220725b9605c306692e9688b4b94287537e3173a71fea0bbde11881fdd05ec2b18fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "9de736d505061498fa1113abb763cdb1b3802c8b47c523dc64d2228ffa7e0d4f",
            "tlsh": "d9f08b249c2068236ac02ee90c62594eeb708f0b11547a6e827b192801dee3935be14d"
        }
    ]
}