MAL-2026-6348

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-wrap-67d7/MAL-2026-6348.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6348

Published

2026-06-23T21:40:45Z

Modified

2026-06-23T22:46:24.143443728Z

Summary

Malicious code in buffer-wrap-67d7 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3)

The package declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on npm install. run.js imports os, fs, http, https, and child_process, and collects host and user identity signals including os.hostname(), os.userInfo(), os.platform(), process.env.USER, and process.cwd(), alongside filesystem reads (fs.existsSync, fs.readFileSync). Collected data is base64-encoded (Buffer.from(...).toString('base64')) and POSTed out via http/https calls (multiple POST sites at run.js lines 131, 339, 346). The composition — automatic lifecycle trigger, system/user reconnaissance, base64 packaging, and outbound POSTs — is the canonical install-time exfiltration shape and produces direct attacker benefit (host fingerprinting and credential-adjacent data leaving the installer's machine).

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-23T21:40:45Z",
            "sha256": "a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3",
            "id": "IN-MAL-2026-007373",
            "source": "amazon-inspector",
            "import_time": "2026-06-23T22:31:27.205348986Z"
        }
    ]
}

References

https://www.npmjs.com/package/buffer-wrap-67d7/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / buffer-wrap-67d7

Package

Name: buffer-wrap-67d7; View open source insights on deps.dev
Purl: pkg:npm/buffer-wrap-67d7

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-KDS5CTbDRdW1vbafOVx/vdrLaoi/rBfMW39A6gnR2Xtz4ggh7lJsMYY8Ecqfga6J1p2mFBF6iVlKSS3/E1oLfQ==",
                "sha1": "1d8f972ca15a011bae9725fde2add474c4ef1754"
            },
            "filename": "buffer-wrap-67d7-1.0.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "cae068189c303a3339d02aa91c62926ba7308f0f20543d2c52b72929429bb7ab47b14d",
            "sha256": "4d99b243a066f8b6797c51600415608ce7df061dcbdd743d01addfea8df6b4f6"
        },
        {
            "path": "run.js",
            "tlsh": "0382e67219f7462479a3eaade65fa4006523f1077a51eda0f28c73610fcf568c172af8",
            "sha256": "45b7cdbc6e1e29b849d9cf8941adc62b6c3b18e21b4a7fb9216a62b3c7730087"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/buffer-wrap-67d7/MAL-2026-6348.json"