MAL-2026-6535
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/disksweep/MAL-2026-6535.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6535
- Published
- 2026-06-26T19:01:32Z
- Modified
- 2026-06-26T19:46:42.987234375Z
- Summary
- Malicious code in disksweep (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (31a2c10aba7f3468458529214868e2d8acd9717eb7985c47ab10cf4aed64f87c)
The package ships a 2.9 MB Windows PE32+ executable at bin/native/parser.node (sha256 b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3) that is not mentioned in the README or CHANGELOG. src/index.js (lines 30-34) contains a loader that resolves this file via __dirname and calls process.dlopen(module, p) inside a try/catch, which would load the binary as a native Node addon with full FFI access to the host process. The README explicitly claims 'Zero runtime dependencies… nothing to audit', directly contradicting the presence of an opaque attacker-supplied native binary. The current release is dormant on most installs because the package declares ESM ('type':'module') while the loader uses CJS-only globals (require, __dirname, module), so the dlopen call throws and is swallowed — but the binary is staged on disk and a one-line patch (switching to createRequire or fileURLToPath) flips it live for every installer. Supporting weak-attribution signals: package.json repository.url points at the npm package page rather than a real source repository, bugs.url is the same placeholder, author is the generic 'disksweep contributors', and CHANGELOG documents only v1.0.0 despite the published version being 3.0.0. The combination of opaque Windows-only native binary, doc/contents mismatch ('zero dependencies' marketing), placeholder metadata hiding maintainer identity, and a pre-wired dlopen loader is the staged-native-payload pattern.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "3.0.0" ], "modified_time": "2026-06-26T19:01:32Z", "sha256": "31a2c10aba7f3468458529214868e2d8acd9717eb7985c47ab10cf4aed64f87c", "id": "IN-MAL-2026-007655", "source": "amazon-inspector", "import_time": "2026-06-26T19:36:31.955017694Z" }, { "versions": [ "1.0.0" ], "modified_time": "2026-06-26T19:01:37Z", "sha256": "49b8ad00b1eafea2b5bccbeee95cb7321b92c72f79ba917a9fc00f19104ebbcf", "id": "IN-MAL-2026-007656", "source": "amazon-inspector", "import_time": "2026-06-26T19:36:32.180550802Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / disksweep
Package
- Name
- disksweep
- View open source insights on deps.dev
- Purl
- pkg:npm/disksweep
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "disksweep-3.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-b2HeUREPZqZTB/jWQ9c5EeR/RwXGvzzN9CJc+t9h7bI6/Ms/Nby6np6VqlM83cbew+AD82evVnu3yr3tQbs9gQ==",
"sha1": "2d7b75dc782a6003a52dae488e6144e4127ea939"
}
}
],
"evidence_files": [
{
"path": "src/index.js",
"tlsh": "7c11524673d70270d0d77b4509afd011b96dd1c6770aede1d1aa03943ee08f04113dae",
"sha256": "ed6538c324fdf2f6f86a0529c597f75f4034c58a03eaf5ad463f37219612b2f7"
},
{
"path": "package.json",
"tlsh": "f8418c3bc9a44d7b15b8e54ab8748611f899038f9390085b347c02ac0f7e1b7538fab9",
"sha256": "60ead84f0bb3467aa181eb0cbee6daa4253151f277f13b4f74feab746057d12f"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/disksweep/MAL-2026-6535.json"