MAL-2026-6239

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-config/MAL-2026-6239.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6239

Published

2026-06-20T13:10:08Z

Modified

2026-06-20T13:46:43.307234321Z

Summary

Malicious code in atlasora-config (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092)

The package declares a postinstall hook in package.json ("postinstall": "node install.js") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T13:10:08Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007100",
            "import_time": "2026-06-20T13:37:51.60885376Z"
        }
    ]
}

References

https://www.npmjs.com/package/atlasora-config/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / atlasora-config

Package

Name: atlasora-config; View open source insights on deps.dev
Purl: pkg:npm/atlasora-config

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-config/MAL-2026-6239.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88",
            "tlsh": "887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff",
            "path": "install.js"
        },
        {
            "sha256": "45d3280c7ac0a0eb1c04adee2481176cf99f5baf78299a5d50fec2da2629aa05",
            "tlsh": "bfe02b306a20cc335ad466694d62500679314f4bc4486c1d37d73028978e77609bea1d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ErMNtFOTG1lWfJv2GmoMcPABREmovtWRERUTchHb/GK8VZc45f4xTJlmvVupKCLtMtO8leRi6lkLJuSye8JEfQ==",
                "sha1": "6b8f98a8959ab2947fa6188999f9d2b7c17b897a"
            },
            "filename": "atlasora-config-1.0.0.tgz"
        }
    ]
}