MAL-2026-6553

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-plugin-poc-m4gester2/MAL-2026-6553.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6553

Published

2026-06-28T06:00:35Z

Modified

2026-06-28T07:01:42.292862157Z

Summary

Malicious code in insomnia-plugin-poc-m4gester2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86)

Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs echo PWNED_BY_DEEPLINK > /tmp/pwned.txt on every npm install. This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept (poc-m4gester) and adopts the insomnia-plugin-* namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-28T06:01:08Z",
            "sha256": "1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86",
            "id": "IN-MAL-2026-007695",
            "source": "amazon-inspector",
            "import_time": "2026-06-28T06:50:42.719447492Z"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-28T06:00:35Z",
            "sha256": "a07696df593b382127f1eedea455af911e9e94591c0526d0b191576b411decf9",
            "id": "IN-MAL-2026-007691",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-28T06:50:42.297530464Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / insomnia-plugin-poc-m4gester2

Package

Name: insomnia-plugin-poc-m4gester2; View open source insights on deps.dev
Purl: pkg:npm/insomnia-plugin-poc-m4gester2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

1.0.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "insomnia-plugin-poc-m4gester2-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-PM4wyNL+mA5TXcA4y2juLm7Q6yOC+jVlPlhoy/PCOTSxVOfRt9DcM31h2nIIqa5ZdhBi5Yo9dz7JOyccgfmfBA==",
                "sha1": "ebaf9c96403e1bd7d7e4d9c5d7cb32f762ae9b6f"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "82d02350fda6743338cd126948774047af11451b02057e1413e714756bcf7faa4e7358",
            "sha256": "2dc185f10b0d7a8f1d9c7d3d445be50c98407cbdd6b19d3c336c9a2809a03eea"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-plugin-poc-m4gester2/MAL-2026-6553.json"