MAL-2026-6591

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ledgerflow-deploy-utils/MAL-2026-6591.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6591
Published
2026-06-29T07:09:41Z
Modified
2026-06-29T09:16:40.716801985Z
Summary
Malicious code in ledgerflow-deploy-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5f0097d19be676ac30ff79dffcff38f128873c80115a8a150c3eceff0422aa93)

On npm install, the package's postinstall script queries the AWS instance metadata service (IMDSv1) at 169.254.169.254 for the attached IAM role and POSTs the result, along with an IMDS-reachability probe, over plain HTTP to a hardcoded bare IP (54.226.194.239:80/chain3). The published library surface (index.js) only exports two no-op console.log stubs named validate/deploy, with no real functionality — the entire effective behavior is the install-time reconnaissance against AWS-hosted installers and CI runners. The combination of a placeholder API, a generic deployment-utility name suggesting an internal/private package, and install-time recon to a hardcoded bare-IP C2 matches the dependency-confusion / internal-name-squat pattern targeting corporate build systems, where exposed IAM role names enable follow-on credential abuse against the installer's cloud environment.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "5f0097d19be676ac30ff79dffcff38f128873c80115a8a150c3eceff0422aa93",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "modified_time": "2026-06-29T07:09:41Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007771",
            "import_time": "2026-06-29T09:10:16.293553336Z"
        }
    ]
}
References
Credits

Affected packages

npm / ledgerflow-deploy-utils

Package

Name
ledgerflow-deploy-utils
View open source insights on deps.dev
Purl
pkg:npm/ledgerflow-deploy-utils

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ledgerflow-deploy-utils-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-EZE79itTKpYHeL1bwhfxQ80UD86J71sH3DKF+Igh57Q8Z4cRkl1WXubR6Yn99RDJELtcd4/AsKNSX3x7oGILCQ==",
                "sha1": "3e383072ccd84fe57a1b06ce1384b0605f53a6b0"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3a8a53135dc01cb00b57a53e0a486396720a5cb67718ceb56d52e287f251d52f",
            "path": "postinstall.js",
            "tlsh": "2d011ee8b2f161360bb7c22ca19a790b6514900e14af9e04ba841f64bf4833edc70de8"
        },
        {
            "sha256": "920bc0303c24f08b00e81cb2ad6996abca1290398e1a45c8b9ace2c831193cfe",
            "path": "index.js",
            "tlsh": "54c04c946e6922691e3a60e49482942bb1d04f51850aa06435ac67a600c4e5940fa4f9"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ledgerflow-deploy-utils/MAL-2026-6591.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]