MAL-2026-6085

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hotcappuccino/nodepull/MAL-2026-6085.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6085

Published

2026-06-17T21:52:46Z

Modified

2026-06-17T22:46:52.278438187Z

Summary

Malicious code in @hotcappuccino/nodepull (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99)

@hotcappuccino/nodepull@1.0.0 ships a single index.js (the package's declared main) that is wrapped in an obfuscator.io string-array + RC4-encrypted-string scheme. At top level — fires on every require('@hotcappuccino/nodepull') — the module loads child_process, fs, os, path, and an HTTP client; reconstructs a dotted URL through repeated ''.repeat(N,'.') concatenations of RC4-decrypted fragments; performs httpClient.get(URL + path); writes the response body to path.join(os.tmpdir(), <filename>) via fs.writeFileSync(..., {flag:'w+'}); and immediately invokes child_process.spawn(filePath, args, {windowsHide: true, cwd: os.tmpdir()}). The 249-entry rotated string array is decoded by b/c using base64 + RC4 keyed by index 0, hiding the URL, spawned command, and required module names from inspection. There is no legitimate purpose served by RC4-encrypting every string (including module names) in a package whose only behavior is to fetch and execute a remote binary at import time. Any installer that requires this package executes attacker-controlled bytes from a hidden remote endpoint as a child process with the console window suppressed.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "42e9bbd7a5cb25d0863ef140b42a7ab2abec1e921e18669eef3f07a91c3d6d99",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T21:52:46Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006949",
            "import_time": "2026-06-17T22:38:21.580532972Z"
        }
    ]
}

References

https://www.npmjs.com/package/@hotcappuccino/nodepull/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @hotcappuccino/nodepull

Package

Name: @hotcappuccino/nodepull; View open source insights on deps.dev
Purl: pkg:npm/%40hotcappuccino%2Fnodepull

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@hotcappuccino/nodepull/MAL-2026-6085.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "862d8d193ef2863437bd2214624b63b395413facdc0509338ee664f7f33a7218",
            "tlsh": "5292b6cc3bc1b0b45373f07b7e1aa0a2f16a5c8db2998444f796f498f968314d1b6b58",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-8Vah9+Gyl9qmwOSzyz1m22PsAPm+3eEER3N+AQdrKLc2gPAnkBZBrdxhPiWm4iVgIgF2DqXH6SqUJEhfnTxmFw==",
                "sha1": "6f1f32f8873905f3605441e8ca426bdf1443a072"
            },
            "filename": "nodepull-1.0.0.tgz"
        }
    ]
}