MAL-2026-6099

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stream-read-35cf/MAL-2026-6099.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6099

Published

2026-06-18T03:53:34Z

Modified

2026-06-18T05:46:39.063960724Z

Summary

Malicious code in stream-read-35cf (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e)

Package declares a postinstall hook ("postinstall": "node run.js") that auto-executes run.js on npm install. run.js imports os, fs, http, https, and child_process and collects host identifiers (os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd()), reads files via fs.readFileSync / fs.existsSync, base64-encodes data via Buffer.from(...).toString('base64'), and POSTs the results to remote endpoints over http/https (multiple POST call sites at lines 135, 138, 347, 354). The package name is a short random-suffixed identifier with no documented purpose, and the only effect of installing the package is the reconnaissance + exfiltration payload. This is the canonical install-time stealer shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0597f71a1c39a743a4323636794601b480a1cda0c64df20d6bafa7ed601da84e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T03:53:34Z",
            "id": "IN-MAL-2026-006959",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-18T05:42:04.275159988Z"
        }
    ]
}

References

https://www.npmjs.com/package/stream-read-35cf/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / stream-read-35cf

Package

Name: stream-read-35cf; View open source insights on deps.dev
Purl: pkg:npm/stream-read-35cf

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/stream-read-35cf/MAL-2026-6099.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "f1164377336c959d2706dd84b31300cf2fbd789b67d989081b11bd4bc404e3a6",
            "tlsh": "46e06818cc24393339d42ae80ca29297a7708f0b60147d2c52bb692c82abb3a757b10d",
            "path": "package.json"
        },
        {
            "sha256": "c4fe86d76ca58a8179a87cf2385422debb3c507410557c7830d350fc33931ade",
            "tlsh": "8a82f77219b7461479a3e6ade66fa4005033f1177a51eca0f28c73510fcf668d5b2af8",
            "path": "run.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-t4ZeZgC3TmIbA6YkbcN6NGUSuIfpy/FSGSdrLbEB4TI/uLXc0TGRUYbTEwZgW6TFycqVPpCdfHi5NcYJJnGqFw==",
                "sha1": "797292c86a08cf311fdbef10dfcc7d266d4a45a2"
            },
            "filename": "stream-read-35cf-1.0.0.tgz"
        }
    ]
}