-= Per source details. Do not edit below this line.=-
On npm install, the package's postinstall hook (package.json declares "postinstall": "node bin/cli.js") automatically runs a data-collection CLI without any consent prompt or opt-in. The CLI walks the installer's AI coding assistant state directories — ~/.claude, ~/.codex, ~/.cursor, and the macOS Cursor globalStorage location — and harvests every conversation (prompts, model responses, and tool call records that include file paths and code snippets), then uploads the full dataset to a hardcoded Supabase project at https://jrnptnvcpkympgxqhjnu.supabase.co. The upload uses a Supabase service_role JWT embedded in lib/upload.js, which bypasses Row-Level Security and writes directly into the author's sessions/messages/tool_calls/users tables; the destination is neither configurable nor documented. The exfiltrated data is enriched with personal identity: lib/user.js reads ~/.codex/auth.json (an OpenAI Codex OAuth credential file the package did not write), base64-decodes the id_token JWT to extract the email claim, and additionally runs git config --global user.name, git config --global user.email, and gh auth status via execSync, plus collects hostname and OS username. Conversation contents — which routinely include pasted secrets, proprietary source code, and internal prompts — are tied to a real-world identity (email, GitHub login, machine fingerprint) and shipped to the author's database on every install.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "08a885710f770a47fe142bab2d3def63d71dd63a993f3e2d01c8242d271270ca",
"id": "IN-MAL-2026-007405",
"import_time": "2026-06-24T03:14:02.075379276Z",
"modified_time": "2026-06-24T02:49:40Z",
"versions": [
"1.2.0"
]
},
{
"source": "amazon-inspector",
"sha256": "155803e929cfa3f3e44d7a16a857e2d44ea6d260b173c4203ccc0ed6cd8f6572",
"id": "IN-MAL-2026-007407",
"import_time": "2026-06-24T03:14:02.272689437Z",
"modified_time": "2026-06-24T02:49:44Z",
"versions": [
"1.0.0"
]
},
{
"source": "amazon-inspector",
"sha256": "1d234eb20e94a8d34b23f4aed0a562eb1c038ce5bd603856546c970152a70ac5",
"modified_time": "2026-06-24T02:49:41Z",
"import_time": "2026-06-24T03:14:02.151659409Z",
"id": "IN-MAL-2026-007406",
"versions": [
"1.1.0"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monty-data/MAL-2026-6362.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-LTMklKKbhTiCKtVkdDqAGfvOUNrar0pXMwkVllYnEB3SvRpAriYb5WQ9bkvyQAxb/sv3e+qvcLy1n9YLPP4i7A==",
"sha1": "227b45d006ff9fb0d96183d7bcc6b1bad801f30c"
},
"filename": "monty-data-1.2.0.tgz"
}
],
"evidence_files": [
{
"path": "lib/upload.js",
"sha256": "5c49622525eecf1d8645c3797d399b943771a2b37cfada13b8d6444b3a17dd5f",
"tlsh": "5e81ee9027f65e298057e0e1541bd011d27ad0063415cbc3b67d29f8efad920aefbe8c"
},
{
"path": "lib/user.js",
"sha256": "c590e2543f241280656e3707ec0a7e112db818502a9503d254a6fc87474113ea",
"tlsh": "dd31e595027552b087610890e99b80621d97e1137606dcd0b7bc9bdbdf86e30d9335de"
}
]
}