MAL-2026-6552

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-plugin-poc-m4gester/MAL-2026-6552.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6552

Published

2026-06-28T06:00:42Z

Modified

2026-06-28T07:01:42.345287820Z

Summary

Malicious code in insomnia-plugin-poc-m4gester (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955)

package.json declares a postinstall lifecycle hook that runs a shell command writing a marker file to /tmp on npm install ("postinstall": "echo PWNED_BY_DEEPLINK > /tmp/..."). The package ships no library code, no plugin implementation, and the description field is literally "test" — there is no advertised functionality to justify the install-time shell execution. The package name insomnia-plugin-poc-m4gester further self-identifies as a proof-of-concept exploit targeting the Insomnia REST client plugin namespace. Installing this package results in attacker-chosen shell execution on the installer's machine; the current payload is benign (a marker file write) but the mechanism is arbitrary code execution at install time and could trivially be swapped for a destructive or exfiltrating command in a future version.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-28T06:00:42Z",
            "sha256": "0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955",
            "id": "IN-MAL-2026-007692",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-28T06:50:42.399950974Z"
        }
    ]
}

References

https://www.npmjs.com/package/insomnia-plugin-poc-m4gester/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / insomnia-plugin-poc-m4gester

Package

Name: insomnia-plugin-poc-m4gester; View open source insights on deps.dev
Purl: pkg:npm/insomnia-plugin-poc-m4gester

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-R8e+YgdrMTfKEtfxJLjKSbS4HXlG+1pskgVgqGYJahM3pmhNHR7zbQJ9vOMi7PMYZMl4zfWAJRhSjJrjmQETvA==",
                "sha1": "c36d86beb89b2fcfedb69c97ce292ebdbac82cc6"
            },
            "filename": "insomnia-plugin-poc-m4gester-1.0.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "72d0a750e9a5342328cd126948774046af11450b02047e1413e714756a8b7faa4a7748",
            "sha256": "5da68920b896a76fd5d803794e72852d76790a4ae2897b6c9bbadca33562ed18"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-plugin-poc-m4gester/MAL-2026-6552.json"