-= Per source details. Do not edit below this line.=-
On npm install, the package's postinstall script queries the AWS instance metadata service (IMDSv1) at 169.254.169.254 for the attached IAM role and POSTs the result, along with an IMDS-reachability probe, over plain HTTP to a hardcoded bare IP (54.226.194.239:80/chain3). The published library surface (index.js) only exports two no-op console.log stubs named validate/deploy, with no real functionality — the entire effective behavior is the install-time reconnaissance against AWS-hosted installers and CI runners. The combination of a placeholder API, a generic deployment-utility name suggesting an internal/private package, and install-time recon to a hardcoded bare-IP C2 matches the dependency-confusion / internal-name-squat pattern targeting corporate build systems, where exposed IAM role names enable follow-on credential abuse against the installer's cloud environment.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"sha256": "5f0097d19be676ac30ff79dffcff38f128873c80115a8a150c3eceff0422aa93",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"modified_time": "2026-06-29T07:09:41Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007771",
"import_time": "2026-06-29T09:10:16.293553336Z"
}
]
}{
"package_integrity": [
{
"filename": "ledgerflow-deploy-utils-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-EZE79itTKpYHeL1bwhfxQ80UD86J71sH3DKF+Igh57Q8Z4cRkl1WXubR6Yn99RDJELtcd4/AsKNSX3x7oGILCQ==",
"sha1": "3e383072ccd84fe57a1b06ce1384b0605f53a6b0"
}
}
],
"evidence_files": [
{
"sha256": "3a8a53135dc01cb00b57a53e0a486396720a5cb67718ceb56d52e287f251d52f",
"path": "postinstall.js",
"tlsh": "2d011ee8b2f161360bb7c22ca19a790b6514900e14af9e04ba841f64bf4833edc70de8"
},
{
"sha256": "920bc0303c24f08b00e81cb2ad6996abca1290398e1a45c8b9ace2c831193cfe",
"path": "index.js",
"tlsh": "54c04c946e6922691e3a60e49482942bb1d04f51850aa06435ac67a600c4e5940fa4f9"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ledgerflow-deploy-utils/MAL-2026-6591.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]