MAL-2026-6554
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-test-util-m4gester/MAL-2026-6554.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6554
- Published
- 2026-06-28T06:00:51Z
- Modified
- 2026-06-28T07:01:42.317123452Z
- Summary
- Malicious code in insomnia-test-util-m4gester (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8)
Package ships no functional code and exists solely to execute a shell command on
npm install. Thepostinstalllifecycle hook runsecho PWNED_BY_DEEPLINK > /tmp/pwned.txt, dropping a marker file at/tmp/pwned.txton the installer's machine. The self-identifying marker string (PWNED_BY_DEEPLINK) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.0" ], "source": "amazon-inspector", "modified_time": "2026-06-28T06:00:51Z", "sha256": "3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8", "id": "IN-MAL-2026-007693", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-28T06:50:42.503445456Z" }, { "versions": [ "1.0.1" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-28T06:01:00Z", "sha256": "fda634406b6f4fd97c572c7d4a52d6e3201932fea144a157e955aa16fa394da4", "id": "IN-MAL-2026-007694", "source": "amazon-inspector", "import_time": "2026-06-28T06:50:42.619994359Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / insomnia-test-util-m4gester
Package
- Name
- insomnia-test-util-m4gester
- View open source insights on deps.dev
- Purl
- pkg:npm/insomnia-test-util-m4gester
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "insomnia-test-util-m4gester-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-s8XnwFBmWlhEoXY2Rrq32WzDUxZNHOpZcqk9dLposGOruDnv/IeBFvC+UwPIPs94X1kHUcJOg4BS1Md3KImTpQ==",
"sha1": "1390b8f8ce96514d32799fe083807263c29779dc"
}
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "bfc02b6078a6217338ca13bb402b84866f41c80b03853e1403cb09b2d2877fea88f20c",
"sha256": "330f0644d2b4251bbd87fe378b2d90e8a2fb20402a5bb916945ec654e488b6b9"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/insomnia-test-util-m4gester/MAL-2026-6554.json"