MAL-2026-6091

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datacamp-light/MAL-2026-6091.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6091

Published

2026-06-18T03:55:18Z

Modified

2026-06-18T05:46:39.585533064Z

Summary

Malicious code in datacamp-light (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c)

Package impersonates the DataCamp brand while shipping near-empty stub exports (index.js init/helper return trivial constants). The postinstall lifecycle hook (node install.js) runs on every npm install and collects the installer's hostname, OS username, home directory, platform, current working directory, and timestamp, then POSTs them over HTTPS to dc.iam.c.noratomo.asia/install with TLS certificate verification disabled (rejectUnauthorized: false). The destination domain has no relationship to datacamp.com. The combination of brand-impersonating name, hollow library functionality, lifecycle-triggered outbound beacon to an unrelated domain, identifying-host fields, and disabled TLS verification is a supply-chain reconnaissance implant against developers who install this expecting DataCamp tooling.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T03:55:18Z",
            "id": "IN-MAL-2026-006961",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-18T05:42:04.473269773Z"
        }
    ]
}

References

https://www.npmjs.com/package/datacamp-light/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / datacamp-light

Package

Name: datacamp-light; View open source insights on deps.dev
Purl: pkg:npm/datacamp-light

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datacamp-light/MAL-2026-6091.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "3c45f85bae5b016c2d076c42d30a861aff63ea96f27e565882ec790c1e3d5f12",
            "tlsh": "4df0c9f8d3b29bb02aba92c07047c416c622f120b51bb8f0addd4180634a5a410b2cf2",
            "path": "install.js"
        },
        {
            "sha256": "3c2ce749c590c913140880bc16fa593edda2329677d2f319723144bd7a1a692f",
            "tlsh": "67f0552819228d3352d55f97284a800225b19d131480788c2f9b926c579e3be68ff32d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-TCPYRb8nqFtwFTP2uGzrDd9f0VLa4JxxyuHXRc2uOaIlWmdvFou08eH4EAa60P8H6dv6Ld7bqgT5vYV3c9lR/w==",
                "sha1": "013dbb6a3fdbc59bcf3bc3a9e078f0ee037219cf"
            },
            "filename": "datacamp-light-1.0.0.tgz"
        }
    ]
}