-= Per source details. Do not edit below this line.=-
On require(), index.js performs a Linux platform check, then decodes a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and HTTPS-downloads an opaque binary into a hidden staging path (~/.local/share/.node_cache/.runtime), chmods 0755, drops a.lock sentinel, and spawns the binary detached with stdio ignored. There is no hash or signature verification, the URL is mutable and not version-pinned, and the host (api.ingress-hub.com) is unrelated to the package's stated purpose ('CI utilities'). Identifiers are single-letter underscore-prefixed (_D,_N,_P,_F,_U,_A,_init,_run) and the destination URL is base64-hidden — obfuscation consistent with evading casual review and registry scanners rather than minification. The package's published name (linux-ci-utils) does not match its README (which advertises 'node-ci-utils'), consistent with masquerading as a plausible utility to entice installs. Any project that requires this package executes attacker-controlled bytes on Linux hosts at import time.
{
"malicious-packages-origins": [
{
"import_time": "2026-06-24T07:47:32.448642183Z",
"sha256": "8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01",
"modified_time": "2026-06-24T07:21:25Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-007430"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "linux-ci-utils-1.0.0.tgz",
"hashes": {
"sha1": "86a0c279f4090b8d1cae48f6a69237e669f63523",
"sha512_sri": "sha512-42w3fPcPyC2ttwk7T5UPXbLH458nTNfPVY2B5Fuue6j/4EppNcg6zbtXv4Hem9u2VgCfxFQopaDvwcT/RPC56A=="
}
}
],
"evidence_files": [
{
"tlsh": "6141edd60ff37230467360dd4a9b95297253c5537546d6c8fe4c0188af8212882b6efc",
"sha256": "d671eb82e7b274c846d0cd282a1ee0d7387a421f5c6a6214490a53aa9caffdcb",
"path": "index.js"
},
{
"tlsh": "9be02b248930e5332ac516912d29814ff5b14f5b0144bc1c17d7817c83de7b659ff96a",
"sha256": "a48f5d2107f508e7d89b515ad90e77fc1eb6086f3758cdfea60f97de58167130",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/linux-ci-utils/MAL-2026-6377.json"