MAL-2026-6240

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-sdk/MAL-2026-6240.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6240

Published

2026-06-20T13:10:04Z

Modified

2026-06-20T13:46:43.345123784Z

Summary

Malicious code in atlasora-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cc75492c0a0ce4090918bfdef0cea9cc028ef4c8273283d32085189e13a59c51)

Package ships a postinstall hook (package.json scripts.postinstall: node install.js) that runs automatically on every npm install. install.js reads classic installer-secret paths — ~/.ssh/* (any file containing 'PRIVATE' or 'KEY'), ~/.aws/credentials, ~/.npmrc, and .env / .env.local / .env.production from the working directory — and bulk-scrapes 30+ environment variables shaped like credentials (PRIVATEKEY, AWSSECRETACCESSKEY, JWTSECRET, COINBASE*, SUPABASESERVICEROLEKEY, ANTHROPIC*, etc.), plus host identity (os.hostname(), os.userInfo(), git config --list). The collected bundle is POSTed as JSON over HTTPS to a hardcoded anonymous webhook.site collection URL stored in a variable literally named EXFIL_SERVER. The package's index.js exports only a stub {version, name} — there is no real SDK functionality, despite the package name and description claiming to be the AtlasOra Web3 vacation-rental SDK. This is a brand-impersonation credential harvester targeting AtlasOra developers; any machine that runs npm install atlasora-sdk is fully compromised.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "cc75492c0a0ce4090918bfdef0cea9cc028ef4c8273283d32085189e13a59c51",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T13:10:04Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007095",
            "import_time": "2026-06-20T13:37:51.096929851Z"
        }
    ]
}

References

https://www.npmjs.com/package/atlasora-sdk/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / atlasora-sdk

Package

Name: atlasora-sdk; View open source insights on deps.dev
Purl: pkg:npm/atlasora-sdk

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-sdk/MAL-2026-6240.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88",
            "tlsh": "887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff",
            "path": "install.js"
        },
        {
            "sha256": "ed16e06ab530ba4350d163f647d56809eb21341b51f144e72a6294ea17e09d74",
            "tlsh": "63e0ed70aa2188736acda6ac4962910572219a4fc448a81c3acb305cc3ce73609fea2d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ZZHoFUsPvsssExd3X4JSPXhYuGZG8rs1ou3eobJJ9TBiygJlUgcbEp63uBmaxk4uObRXrUqRDpgC2jGOniqclQ==",
                "sha1": "34d39b2d85bbb34887e11b01c09d9423773d5e6b"
            },
            "filename": "atlasora-sdk-1.0.0.tgz"
        }
    ]
}