MAL-2026-6377

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/linux-ci-utils/MAL-2026-6377.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6377
Published
2026-06-24T07:21:25Z
Modified
2026-06-24T08:01:23.544300675Z
Summary
Malicious code in linux-ci-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01)

On require(), index.js performs a Linux platform check, then decodes a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and HTTPS-downloads an opaque binary into a hidden staging path (~/.local/share/.node_cache/.runtime), chmods 0755, drops a.lock sentinel, and spawns the binary detached with stdio ignored. There is no hash or signature verification, the URL is mutable and not version-pinned, and the host (api.ingress-hub.com) is unrelated to the package's stated purpose ('CI utilities'). Identifiers are single-letter underscore-prefixed (_D,_N,_P,_F,_U,_A,_init,_run) and the destination URL is base64-hidden — obfuscation consistent with evading casual review and registry scanners rather than minification. The package's published name (linux-ci-utils) does not match its README (which advertises 'node-ci-utils'), consistent with masquerading as a plausible utility to entice installs. Any project that requires this package executes attacker-controlled bytes on Linux hosts at import time.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-24T07:47:32.448642183Z",
            "sha256": "8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01",
            "modified_time": "2026-06-24T07:21:25Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007430"
        }
    ]
}
References
Credits

Affected packages

npm / linux-ci-utils

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "linux-ci-utils-1.0.0.tgz",
            "hashes": {
                "sha1": "86a0c279f4090b8d1cae48f6a69237e669f63523",
                "sha512_sri": "sha512-42w3fPcPyC2ttwk7T5UPXbLH458nTNfPVY2B5Fuue6j/4EppNcg6zbtXv4Hem9u2VgCfxFQopaDvwcT/RPC56A=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6141edd60ff37230467360dd4a9b95297253c5537546d6c8fe4c0188af8212882b6efc",
            "sha256": "d671eb82e7b274c846d0cd282a1ee0d7387a421f5c6a6214490a53aa9caffdcb",
            "path": "index.js"
        },
        {
            "tlsh": "9be02b248930e5332ac516912d29814ff5b14f5b0144bc1c17d7817c83de7b659ff96a",
            "sha256": "a48f5d2107f508e7d89b515ad90e77fc1eb6086f3758cdfea60f97de58167130",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/linux-ci-utils/MAL-2026-6377.json"