MAL-2026-6143

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-vfs-polyfill/MAL-2026-6143.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6143

Published

2026-06-18T22:31:27Z

Modified

2026-06-18T23:16:47.591742430Z

Summary

Malicious code in node-vfs-polyfill (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b)

On install, postinstall.js executes automatically and exfiltrates host reconnaissance data to attacker-controlled subdomains on oastify.com (Burp Collaborator), a domain commonly used for out-of-band data exfiltration. The script imports http, https, os, and child_process; calls os.hostname() and execSync() to gather system identifiers; and POSTs the collected data — including hostname, username, and version fields — to hardcoded endpoints such as http://xxxxxxxxx.oastify.com and http://rni4z9qkil62r9dcwosokhtgo7u9i76w.oastify.com. The package name suggests a generic VFS polyfill but the postinstall does no polyfill work; its sole observable effect on npm install is system-info exfiltration. This matches the dependency-confusion / reconnaissance beacon pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7fb213e524ed75dcb54961d6d2ee9431ea6a32f4fdcb9d777bc260102920d81b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T22:31:27Z",
            "versions": [
                "2.0.5"
            ],
            "id": "IN-MAL-2026-007039",
            "import_time": "2026-06-18T23:09:38.946586468Z"
        }
    ]
}

References

https://www.npmjs.com/package/node-vfs-polyfill/v/2.0.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / node-vfs-polyfill

Package

Name: node-vfs-polyfill; View open source insights on deps.dev
Purl: pkg:npm/node-vfs-polyfill

Affected ranges

Affected versions

2.*

2.0.5

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-vfs-polyfill/MAL-2026-6143.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "c216cb04c1ea30d33368d9744553d9ed649d9c451a761a603ec3f457bde83573",
            "tlsh": "d14283b541b0555835b5cf9dab0f60026656f0077a46fea878ae33401fce65882b3efe",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-jbMSlCCaGsv+FSBZQJDc2k8b2g2FwDk3ScrTQBxZqW1gwb0MJHHc3UrW0+eDdCDRt7l95gEXXzSmoIWPCxi8HA==",
                "sha1": "f17669571b63c3f719273b4a5f563f54df98fe43"
            },
            "filename": "node-vfs-polyfill-2.0.5.tgz"
        }
    ]
}