MAL-2026-6237

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-api/MAL-2026-6237.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6237

Published

2026-06-20T13:10:06Z

Modified

2026-06-20T13:46:43.643742057Z

Summary

Malicious code in atlasora-api (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92)

Package declares a postinstall hook ("postinstall": "node install.js") that runs install.js automatically on npm install. install.js imports https, fs, os, and child_process and collects host identifiers including os.hostname() and os.userInfo(), uses execSync for additional system enumeration, probes filesystem paths via fs.existsSync, and POSTs the collected data over an outbound https.request. This is the canonical install-time host-reconnaissance / exfiltration pattern: the package's only effect on installation is to harvest system identity and ship it off-host. There is no documented library functionality justifying the network beacon at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "9776899942c749b493911ca4e33c3b4967308a816e167bd3ee90c95800632f92",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T13:10:06Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007098",
            "import_time": "2026-06-20T13:37:51.354538686Z"
        }
    ]
}

References

https://www.npmjs.com/package/atlasora-api/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / atlasora-api

Package

Name: atlasora-api; View open source insights on deps.dev
Purl: pkg:npm/atlasora-api

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-api/MAL-2026-6237.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88",
            "tlsh": "887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff",
            "path": "install.js"
        },
        {
            "sha256": "46551a65ed9af13d511f3fd1df22707d32dc38bccb46d365fda946a87b182a64",
            "tlsh": "d8e0e574aa20cc735ac966ac4d65515576218a0bc848a81c3ac7215cd3ce62209fd62d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-guOpKPN8UyPfANEmjmP9x1SygKLySyf41x2cZnNUMcie8s0LcwOYSRo72HIu30tPNt6yZlKkpdo4oI4BvuAgtQ==",
                "sha1": "ff5b627d729f282278301001924f366414be43af"
            },
            "filename": "atlasora-api-1.0.0.tgz"
        }
    ]
}