MAL-2026-6196

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/build-tracker-n5p1/MAL-2026-6196.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6196

Published

2026-06-19T06:48:23Z

Modified

2026-06-19T07:31:48.590382414Z

Summary

Malicious code in build-tracker-n5p1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619)

Package name suggests build telemetry tooling, but the tarball ships beacon scripts (beacon18.js, beaconlinux.js) wired to a postinstall lifecycle hook ("postinstall": "node run.js" in package.json line 9). On install, these scripts collect host identifiers via os.hostname()/os.platform() and childprocess, then issue outbound HTTP GET/POST requests via http.request from the installer's machine. This combination — auto-execute on install, host fingerprinting, and outbound HTTP exfiltration — is a classic install-time host beacon / data-exfiltration pattern. There is no legitimate build-tracking reason to fingerprint the host and beacon out at install time without consent or configuration.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "e731775fde27ad6db493d20397b27eee9b4a6ea0bf515f9516cc974ea3e12619",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T06:48:23Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007063",
            "import_time": "2026-06-19T07:17:17.04916041Z"
        }
    ]
}

References

https://www.npmjs.com/package/build-tracker-n5p1/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / build-tracker-n5p1

Package

Name: build-tracker-n5p1; View open source insights on deps.dev
Purl: pkg:npm/build-tracker-n5p1

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/build-tracker-n5p1/MAL-2026-6196.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "9c82a9ea5aeb13cc266d5054ddf5c44f87eb909bd09124e0b370aac445c9010f",
            "tlsh": "b112b431e4215c247592d5ad8a0b94293137b3133a62fea0bb8e748c2fce15e82765fd",
            "path": "beacon18.js"
        },
        {
            "sha256": "60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68",
            "tlsh": "5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded",
            "path": "beacon_linux.js"
        },
        {
            "sha256": "3161b3929d5a1c917c8d288f302c6f0dbb7af784f83c13024a5cee04f1e3789d",
            "tlsh": "fdf08b54983039336ac02ad80ca2494af6304f0b61947d5d427b192842dee3a70bf11e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-1ewZPwcvfuPSDb8az9ZKsf+vSdigoiqsz3974zJjSc1wTeduiB0PqmI1KkATaKSS0NMfUF29ZNh5X46lqAZs3Q==",
                "sha1": "90d56afa52e250803cff05b1068d20f8a7814072"
            },
            "filename": "build-tracker-n5p1-1.0.0.tgz"
        }
    ]
}