MAL-2026-6490

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-parser-utils/MAL-2026-6490.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6490

Published

2026-06-26T00:34:38Z

Modified

2026-06-26T01:16:24.838397810Z

Summary

Malicious code in data-parser-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8)

index.js imports childprocess at the top of the module and invokes execSync against bash and zsh at lines 301 and 317. The shape — require('childprocess') at module top with execSync('bash...') and execSync('zsh...') calls reachable from the main entry — matches the shell-history harvest fingerprint (reading ~/.bashhistory / ~/.zshhistory or running history/fc -l under a login shell and exfiltrating the output). Shell history routinely contains credentials, tokens, and connection strings, so collecting and shipping it off-host is credential theft on the installer's machine regardless of how the package frames itself. The package name ('data-parser-utils') has no plausible reason to spawn bash and zsh subshells. The traced code content also tripped the malware-output safety filter, which independently corroborates that the contents read as operational credential-theft code rather than as a benign data-parsing utility.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.2"
            ],
            "modified_time": "2026-06-26T00:34:38Z",
            "sha256": "2fb4c4230fa7663c13b273922ecdf6dad55a30791d1332067841ec011814e5b8",
            "id": "IN-MAL-2026-007574",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T00:59:25.88238589Z"
        }
    ]
}

References

https://www.npmjs.com/package/data-parser-utils/v/3.0.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / data-parser-utils

Package

Name: data-parser-utils; View open source insights on deps.dev
Purl: pkg:npm/data-parser-utils

Affected ranges

Affected versions

3.*

3.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-I8tEhgtMrMev8ZI1tzf281tsvk+c2a/FUHkqmHn5KLoqth3dXj0tEGIzNh0O3m2h+O2Y8sk7b/0+KTAa9kETzQ==",
                "sha1": "a9e315f9218ae19316043eab67afbc4d711f6134"
            },
            "filename": "data-parser-utils-3.0.2.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "a272a89a15f7213242e373f8555f100a76a9c043360ade8977dc87582f9e528a2f6fec",
            "sha256": "dcd2c5bc4f5ed2ff05a9dc2350eabea2a10fa3178f7e3790681db7958f192006"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/data-parser-utils/MAL-2026-6490.json"