MAL-2026-5993

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_test_p/MAL-2026-5993.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5993

Published

2026-06-17T04:20:05Z

Modified

2026-06-17T06:02:05.511045133Z

Summary

Malicious code in sheratan_test_p (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566)

On npm install, the package's postinstall.js executes whoami via child_process and POSTs the output (along with stderr, error, and a timestamp) to a hardcoded webhook.site collector URL. The package self-describes as 'A simple date formatting utility' and contains no code matching that purpose; the only behavior on install is the host-identity beacon. Package metadata is consistent with a throwaway exfiltration artifact (placeholder name sheratan_test_p, empty author, generic description). Any developer or CI runner installing this package leaks their user/host context to an attacker-controlled third-party collector.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006877",
            "import_time": "2026-06-17T05:45:41.767579872Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T04:20:05Z",
            "sha256": "472354ac3cd0bba5d399eea2f09e4b7f60cb2cb65e20d4af0f6398882403f566"
        }
    ]
}

References

https://www.npmjs.com/package/sheratan_test_p/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / sheratan_test_p

Package

Name: sheratan_test_p; View open source insights on deps.dev
Purl: pkg:npm/sheratan_test_p

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_test_p/MAL-2026-5993.json"

indicators

{
    "package_integrity": [
        {
            "filename": "sheratan_test_p-1.0.0.tgz",
            "hashes": {
                "sha1": "4d1b634763fa4a255efa015a26989675ddc0f23b",
                "sha512_sri": "sha512-rfLv2VrkpTah2GDy7hj6/cq/2VdloGPatHdvKt0mijXyEp5T42RrOY2DT0cQJBiv4hy3bOw7pJTwSLMQhkan7Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "3b000e0e744ef8a80f1d503b690be975df0e2e6b75f6951cec18d57862e425ce",
            "tlsh": "a501bd824da235555bf1d6a0f1129608fb83c63ba431c7637bfe02692fe98a00011fdc"
        },
        {
            "path": "package.json",
            "sha256": "01bf71070be153cf01fcdc752d647f418af4af775ab6c5fe8c1208f83ad59de2",
            "tlsh": "b6d0a7254911523367b44aa55a234507b5218f1e15384c0f71bb141842d36b244aa71a"
        }
    ]
}