MAL-2026-6098

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stackus/MAL-2026-6098.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6098

Published

2026-06-18T04:09:20Z

Modified

2026-06-18T05:46:38.903192069Z

Summary

Malicious code in stackus (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456)

On require(), lib/writer.js (loaded transitively from the package's main pino.js) collects the installer's full process.env together with host identifiers (os.hostname, os.userInfo().username, os.platform(), and external MAC addresses) into a data object, then performs an unconditional axios GET to https://www.jsonkeeper.com/b/MYUKZ and passes the response body through eval(). A second hex-obfuscated jsonkeeper.com URL (https://www.jsonkeeper.com/b/HY6M6) is also staged in the same file. jsonkeeper.com is an anonymous, user-editable JSON paste host, so the eval'd payload is mutable attacker-controlled content with closure access to the staged environment dump — a complete credential-exfiltration + remote-code-execution channel that fires on every consumer that imports the package. The package masquerades as the pino logger: it declares main=pino.js, homepage=https://getpino.io, replicates pino's writer/proto/levels/transport API surface, and ships pino-branded images, while the package name 'stackus' is unrelated to pino.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T04:09:20Z",
            "versions": [
                "1.0.6"
            ],
            "id": "IN-MAL-2026-006976",
            "import_time": "2026-06-18T05:42:06.381043496Z"
        }
    ]
}

References

https://www.npmjs.com/package/stackus/v/1.0.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / stackus

Package

Name: stackus; View open source insights on deps.dev
Purl: pkg:npm/stackus

Affected ranges

Affected versions

1.*

1.0.6

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stackus/MAL-2026-6098.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "b6d314d7ec721484bb7a6d72c9dc580e8b9e9d53ca459480f98a20366b823c7d",
            "tlsh": "781120a2c392a414223017f248db4820bee5f35120d3418cbebc8ada2bf39e17154fa8",
            "path": "lib/writer.js"
        },
        {
            "sha256": "dc7cdf9baf1f4001603a7659b60d6766d493b6108d4654aabbe7e601940ea4c0",
            "tlsh": "7f01bd24ce388d6304e8289148a90287a6609c575c1cbd2c73c7232c1f4d57f15ba12e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CveWbGxKlyZO7Veaccxzlh6MaR763pSNRnReMwodxptacTBlTRU0hr1mmU30mXL5Z1c4lhWh+aN0iHC0Api4nw==",
                "sha1": "318af0159d1c7707e532ff24961d745574f2ab48"
            },
            "filename": "stackus-1.0.6.tgz"
        }
    ]
}