MAL-2026-5992

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/runtime-metrics-w7k2/MAL-2026-5992.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5992

Published

2026-06-17T04:41:58Z

Modified

2026-06-17T06:02:05.383195508Z

Summary

Malicious code in runtime-metrics-w7k2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9c2062a3f2564ced7261d9b8be8a49e11117bd74ffe3e92aad6029c471921e2d)

Package declares a postinstall hook ("postinstall": "node run.js") that fires automatically on npm install. The tarball ships beacon scripts (beacon18.js, beacon_linux.js) that import child_process, os, and http, read host identifiers via os.hostname() / os.platform(), and issue outbound HTTP GET/POST requests carrying that data. The combination — automatic install-time execution, host enumeration, child_process reachability, and unsolicited outbound HTTP from an unknown low-reputation package named with a random suffix — matches a host-beacon / exfiltration shape with no legitimate library purpose. Installing this package on a developer or CI machine causes immediate disclosure of host metadata to an external endpoint and provides the publisher a foothold for follow-on commands.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006899",
            "import_time": "2026-06-17T05:45:43.210206573Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-17T04:41:58Z",
            "sha256": "9c2062a3f2564ced7261d9b8be8a49e11117bd74ffe3e92aad6029c471921e2d"
        }
    ]
}

References

https://www.npmjs.com/package/runtime-metrics-w7k2/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / runtime-metrics-w7k2

Package

Name: runtime-metrics-w7k2; View open source insights on deps.dev
Purl: pkg:npm/runtime-metrics-w7k2

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/runtime-metrics-w7k2/MAL-2026-5992.json"

indicators

{
    "package_integrity": [
        {
            "filename": "runtime-metrics-w7k2-1.0.0.tgz",
            "hashes": {
                "sha1": "e8bf3fc890bbb3c047cca830ab684902645a0d33",
                "sha512_sri": "sha512-aa8e3LNjuadgZaBuAxX3r+AnJOH2a4VAQKKCNPPPCjyOS/N+dLm8rbBunGSgLs8keutcI/zz+ESydrsRlvuC1w=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "beacon18.js",
            "sha256": "9c82a9ea5aeb13cc266d5054ddf5c44f87eb909bd09124e0b370aac445c9010f",
            "tlsh": "b112b431e4215c247592d5ad8a0b94293137b3133a62fea0bb8e748c2fce15e82765fd"
        },
        {
            "path": "beacon_linux.js",
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"
        },
        {
            "path": "package.json",
            "sha256": "c12b616c047fdbeed5685f9e5d6f034d5d833bd5a1024a4ef97e2cd51b8dd0d6",
            "tlsh": "33f0c048ac203c335ac03ed80da3598af6308f0b61547e5d8277192842def3a74bf15d"
        }
    ]
}