MAL-2026-6067
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/scan-only/MAL-2026-6067.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6067
- Published
- 2026-06-17T17:04:07Z
- Modified
- 2026-06-17T20:01:51.903742695Z
- Summary
- Malicious code in scan-only (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4)
The CLI binary at bin/scan-only.js, when invoked (e.g., via
npx scan-only --diagnose), harvests installer-side secrets and ships them to a hardcoded attacker endpoint, then fetches and executes attacker-controlled shell commands. Specifically, the binary reads ~/.gitconfig, ~/.ssh, ~/.npmrc (npm token), ~/.aws/credentials, ~/.docker/config.json, ~/.bashhistory, ~/.zshhistory, the full process.env, os.userInfo(), and network interfaces, packages them into areconobject, and POSTs them to https://sentry.citadel-casino.com/collect with a hardcodedx-api-keyheader and user-agentcitadel-diagnose/0.2.0. It also fetches https://sentry.citadel-casino.com/decoy, runs arefineText()routine that extracts a hidden command via an acrostic of first letters terminated byendofpayload, unescapes tokens likesbslashto\, and passes the result to execSync via/bin/shon Unix orpowershell -EncodedCommandon Windows — giving the operator of sentry.citadel-casino.com arbitrary code execution on the host running the CLI. The exfiltration output is masked by fakeSentry Diagnostic Tools v1.2.0console banners, and the Sentry-lookalike subdomain on citadel-casino.com is brand-impersonation cover. package.json's genericDiagnostic tooldescription andscan-onlybin name disguise the binary's truecitadel-diagnoseidentity. Harm fires the moment a developer or CI system runs the CLI. - Database specific
{ "malicious-packages-origins": [ { "sha256": "117c86ce8a46816d63f57e4c6f2015c70c92480428c4436f78b492bfaa5cb2c3", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:10Z", "id": "IN-MAL-2026-006907", "versions": [ "0.4.2" ], "import_time": "2026-06-17T17:32:18.891967002Z" }, { "sha256": "7b940e23f31bc48db5cf3c87a8e9fa1b746505e326521105619dfe12f883da4b", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:14Z", "versions": [ "0.4.3" ], "id": "IN-MAL-2026-006911", "import_time": "2026-06-17T17:32:19.526071358Z" }, { "sha256": "aa03231f11911a8cb8561add13ed2cf6a705021ea2f5b8f6e949a99796cd7cb4", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:13Z", "id": "IN-MAL-2026-006910", "versions": [ "0.2.0" ], "import_time": "2026-06-17T17:32:19.396413515Z" }, { "sha256": "b523ee98635b5214fba801ee136ec0548d4e16c132516d087c788bce841658e0", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:11Z", "versions": [ "0.4.1" ], "id": "IN-MAL-2026-006908", "import_time": "2026-06-17T17:32:19.0702368Z" }, { "sha256": "21ae3a240675015022a6f119cc0795f3904276a955f1bb5f653e883d778c3697", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:17Z", "id": "IN-MAL-2026-006912", "versions": [ "0.4.0" ], "import_time": "2026-06-17T17:32:19.653325509Z" }, { "sha256": "4efea3893451636daac8f951e74e6c36c3fb72b10defac3eadba6ef360913425", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:07Z", "versions": [ "0.4.4" ], "id": "IN-MAL-2026-006906", "import_time": "2026-06-17T17:32:18.758196493Z" }, { "sha256": "633fb5a8c3bbce8086e8c9e8853fa6a81f8b0d2a7645938be0a2fc32aa0be3af", "source": "amazon-inspector", "modified_time": "2026-06-17T17:04:12Z", "versions": [ "0.3.0" ], "id": "IN-MAL-2026-006909", "import_time": "2026-06-17T17:32:19.240982956Z" }, { "sha256": "02d12029193cf5c42cb47575070769fa2863a4bcfd87877ff5eadd84e3fcf005", "source": "amazon-inspector", "modified_time": "2026-06-17T18:12:09Z", "versions": [ "0.5.0" ], "id": "IN-MAL-2026-006924", "import_time": "2026-06-17T18:56:07.528950461Z" }, { "sha256": "8f6d12c05f2ed743b7e67b06d43d3a696f581f6f2b65744fc721e36ef34f3901", "source": "amazon-inspector", "modified_time": "2026-06-17T18:12:01Z", "id": "IN-MAL-2026-006922", "versions": [ "0.4.9" ], "import_time": "2026-06-17T18:56:07.29012233Z" }, { "sha256": "9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4", "source": "amazon-inspector", "modified_time": "2026-06-17T18:11:26Z", "id": "IN-MAL-2026-006920", "versions": [ "0.4.5" ], "import_time": "2026-06-17T18:56:07.093300102Z" }, { "sha256": "a2a62b541f49c4afa753b1eca36ea975a55b5acdc67a2afa657e35147a7c7169", "source": "amazon-inspector", "modified_time": "2026-06-17T18:12:07Z", "id": "IN-MAL-2026-006923", "versions": [ "0.4.8" ], "import_time": "2026-06-17T18:56:07.381391084Z" }, { "sha256": "d71b7cd780060714d911a699eb3c6d843b772573e9de99380a9c9fc0130268cb", "source": "amazon-inspector", "modified_time": "2026-06-17T18:11:29Z", "id": "IN-MAL-2026-006921", "versions": [ "0.4.6" ], "import_time": "2026-06-17T18:56:07.18341298Z" }, { "sha256": "da16f6edd9f3f0a876381602ddcd89b2717f68fd8d4888101a313628c8676f01", "source": "amazon-inspector", "modified_time": "2026-06-17T18:11:25Z", "id": "IN-MAL-2026-006919", "versions": [ "0.4.7" ], "import_time": "2026-06-17T18:56:06.953556919Z" }, { "sha256": "74f20dc79ebffd17c5af3ec0600301a0d201519da36e656163d6c9032db9d84a", "source": "amazon-inspector", "modified_time": "2026-06-17T19:21:10Z", "versions": [ "1.0.0" ], "id": "IN-MAL-2026-006932", "import_time": "2026-06-17T19:45:56.810949319Z" } ] }- References
-
- https://www.npmjs.com/package/scan-only/v/0.4.2
- https://www.npmjs.com/package/scan-only/v/0.4.3
- https://www.npmjs.com/package/scan-only/v/0.2.0
- https://www.npmjs.com/package/scan-only/v/0.4.1
- https://www.npmjs.com/package/scan-only/v/0.4.0
- https://www.npmjs.com/package/scan-only/v/0.4.4
- https://www.npmjs.com/package/scan-only/v/0.3.0
- https://www.npmjs.com/package/scan-only/v/0.5.0
- https://www.npmjs.com/package/scan-only/v/0.4.9
- https://www.npmjs.com/package/scan-only/v/0.4.5
- https://www.npmjs.com/package/scan-only/v/0.4.8
- https://www.npmjs.com/package/scan-only/v/0.4.6
- https://www.npmjs.com/package/scan-only/v/0.4.7
- https://www.npmjs.com/package/scan-only/v/1.0.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / scan-only
Package
- Name
- scan-only
- View open source insights on deps.dev
- Purl
- pkg:npm/scan-only
Affected versions
0.*
0.2.0
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
1.*
1.0.0
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/scan-only/MAL-2026-6067.json"
indicators
{
"evidence_files": [
{
"sha256": "fd0b7ebeca51f16a3ea22859ffb571a31a25ff0153cbc5142853baf11def9ab5",
"tlsh": "4ca175aa01fd483417a7205d150f04a229477f036906fd997b2c579e6fd9a6cc0f339d",
"path": "bin/scan-only.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-v44G5m8NHZ0laA4Dk0oJTrDUMpv19B+v+vILNHX7Ahbq0L1Bb9pTnOaERhpvPP5GHDXzyDeagE0O0v/PXHfQsA==",
"sha1": "ec5d160391d9ea934e73941e3a44bee264dcc7c9"
},
"filename": "scan-only-0.4.2.tgz"
}
]
}