MAL-2026-6243

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-utils/MAL-2026-6243.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6243

Published

2026-06-20T13:10:04Z

Modified

2026-06-20T13:46:43.425439987Z

Summary

Malicious code in atlasora-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d)

On npm install, the package's postinstall hook (node install.js, declared in package.json) harvests secrets from the installer's machine and POSTs them to a hardcoded attacker-controlled webhook at https://webhook.site/22e20640-e2a1-4bb2-b203-061077d055ff. Collected data includes: a long list of named environment variables (COINBASE_*, OPENAIAPIKEY, AWSACCESSKEYID/SECRET, JWTSECRET, PRIVATE_KEY, MNEMONIC, etc.); the contents of .env, .env.local, and .env.production from the current working directory and parent directories; files under ~/.ssh/ filtered for content containing PRIVATE or KEY (private SSH keys); ~/.aws/credentials; ~/.npmrc (npm auth tokens); and the output of git config --list. The source uses a constant explicitly named EXFIL_SERVER and labels the operation as a collection target. The package also masquerades as an internal AtlasOra package — the console output prints @atlasora/shared: installed successfully while the actual package name is atlasora-utils, consistent with a dependency-confusion lure targeting developers of the AtlasOra project.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d",
            "id": "IN-MAL-2026-007096",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T13:10:04Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-20T13:37:51.185796639Z"
        }
    ]
}

References

https://www.npmjs.com/package/atlasora-utils/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / atlasora-utils

Package

Name: atlasora-utils; View open source insights on deps.dev
Purl: pkg:npm/atlasora-utils

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlasora-utils/MAL-2026-6243.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "5849f99b3c22a51b079d3d793718c0b48cde0e1c6ed7d7738edaf87e8e01eb88",
            "tlsh": "887175a180f6026056d33ae7e58f24252215f153be12eed43ddc12519f8a62c86f2bff",
            "path": "install.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "atlasora-utils-1.0.0.tgz",
            "hashes": {
                "sha1": "e361ba6ed2a87b66017b204029203cf552944df2",
                "sha512_sri": "sha512-zjuOgzCKZAGXQmdqjYUpiIiCHGfmQqXDnvMwKOlnToqcgct7PRLKR3BgZEks1lJO8eYGcZH9A53Kp9XFzUbErw=="
            }
        }
    ]
}