MAL-2026-6090

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-utils-bcf2/MAL-2026-6090.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6090

Published

2026-06-18T03:54:28Z

Modified

2026-06-18T05:46:39.706820603Z

Summary

Malicious code in data-utils-bcf2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf)

The package declares a postinstall lifecycle hook ("postinstall": "node run.js" in package.json) that automatically executes run.js on install. run.js imports os, fs, http, https, and child_process, collects host identifying information (os.hostname(), os.platform()), reads files from disk (fs.readFileSync, fs.existsSync), and issues multiple POST requests over HTTP/HTTPS (run.js lines 134, 137, 348, 355). The combination of automatic install-time execution, host fingerprinting, filesystem reads, and outbound POSTs is the canonical install-time exfiltration shape. Installing this package on a developer machine or CI runner will run the reconnaissance and exfiltration code without user interaction.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "52e6ddf4cbc1a035918a5bd136c865ff526f430db21268d75d3c90fa74196fdf",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T03:54:28Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006960",
            "import_time": "2026-06-18T05:42:04.371373899Z"
        }
    ]
}

References

https://www.npmjs.com/package/data-utils-bcf2/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / data-utils-bcf2

Package

Name: data-utils-bcf2; View open source insights on deps.dev
Purl: pkg:npm/data-utils-bcf2

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-utils-bcf2/MAL-2026-6090.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "561e6c852bc499eb123d918890a06d3da33f87965198b84c9ff50c3061499d35",
            "tlsh": "ece068289c20393339c02ae80c669297f7308f1b30143d2d92b72829429bb7ab47b24d",
            "path": "package.json"
        },
        {
            "sha256": "23c111f3ecd1f37bea0f0fb0b51d6bdac267d3adcfdd52d972f72cda6f82ac42",
            "tlsh": "c382e7b219b7461479a3e6ade66fa4005033f1177a51eda0f28c73510fcf668d1b2af8",
            "path": "run.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-cockDOMoPNHjz28QODHA21n/5DBJ5ytblFscjWFzHG53stSLKacUikj+jDjKsQ1Htj39ZU7q0bWRfXrl+SJ5nQ==",
                "sha1": "c3a92d7f44c7c0064b0cdd531e84f88bfb7c6e07"
            },
            "filename": "data-utils-bcf2-1.0.0.tgz"
        }
    ]
}