MAL-2026-6502

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-client-node/MAL-2026-6502.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6502
Published
2026-06-26T04:07:22Z
Modified
2026-06-26T05:01:37.130590692Z
Summary
Malicious code in js-client-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2)

package.json declares a postinstall hook (node dist/postinstall.js) that runs automatically on npm install. The hook invokes prices() in dist/index.js, which resolves the installer's project root via process.env.INIT_CWD?? process.cwd(), locates .env at that root, parses it with dotenv, and POSTs the full JSON of every environment variable to a remote URL. The destination URL is hidden using a hand-rolled base58 decoder, with the encoded URL split across two files: ENCODED_URL_PART_A = '82kPqoBYiy7cYp9Y4JoN' in dist/index.js and ENCODED_URL_PART_B = 'ZWfGP1a9afkaPxYp37FZgsTX' in dist/cli.js, concatenated and decoded at runtime. Errors are silently swallowed so npm install shows no warning. The package's identity is a deliberate decoy: package.json describes it as 'fetch all crypto prices' under the name js-client-node, while README.md is copy-pasted verbatim from @types/node. Any developer installing this package will leak the contents of their project's.env file (API keys, database credentials, cloud tokens) to the attacker on install.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.4.0"
            ],
            "id": "IN-MAL-2026-007588",
            "modified_time": "2026-06-26T04:07:22Z",
            "import_time": "2026-06-26T04:57:28.903991166Z",
            "sha256": "341a29bc48b39d363662fe66dcf13ca9bc3db921cdae84e53b070fc7b3a935a2",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / js-client-node

Package

Affected ranges

Affected versions

1.*
1.4.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-client-node/MAL-2026-6502.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "js-client-node-1.4.0.tgz",
            "hashes": {
                "sha1": "3ebaf8a7f5d731d5edfbb463cdb8ca1fb3c41b7d",
                "sha512_sri": "sha512-oVxWkesEzCZovcv4n0q3A2nviO/HGQS84lVnQZUSX00aZwu2+3bO/4LETYJ97Nebcynd8F/Vw0VYftb2YQf6kg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "b8ab49918d9b5cc2f48e1e4f56a9323b34a69d8354e279863f61ea303d2b3bb3",
            "tlsh": "4d9184162df3a7230a9367989317801a6fbc97173504e888b55ed3947f8901ca5a7bb4"
        },
        {
            "path": "README.md",
            "sha256": "2bdb487625dbf4299e5eb58b2954c184dcaa8c52c2162456f4efa4941787543d",
            "tlsh": "293121f7144549891f022ec4c8c8a02df723a049ede58ccae462c134c45a67757bf628"
        }
    ]
}