MAL-2026-6789

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@checkrhq/adjudication-api-client/MAL-2026-6789.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6789
Published
2026-07-02T20:51:05Z
Modified
2026-07-09T17:31:57.664248420Z
Summary
Malicious code in @checkrhq/adjudication-api-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf)

package.json declares a preinstall lifecycle script that runs curl to POST installer reconnaissance data — hostname, current user (whoami), working directory, and uid/gid (id) — to a hardcoded webhook.site collector endpoint on every npm install. The package is published under an @checkrhq scope impersonating Checkr Inc. (author email uses checkr.com; description states 'This package is for testing only.') and ships no functional code, matching the canonical dependency-confusion beacon pattern targeting an organization's internal package namespace. Installing this package causes automatic outbound transmission of host and user identifiers to an anonymous third-party collector controlled by the publisher.

Source: ossf-package-analysis (dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b)

The OpenSSF Package Analysis project identified '@checkrhq/adjudication-api-client' @ 0.0.2 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b",
            "versions": [
                "0.0.2"
            ],
            "import_time": "2026-07-05T23:26:10.436945716Z",
            "modified_time": "2026-07-02T20:51:05Z",
            "source": "ossf-package-analysis"
        },
        {
            "sha256": "8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf",
            "id": "IN-MAL-2026-009364",
            "import_time": "2026-07-09T17:19:29.525560805Z",
            "modified_time": "2026-07-09T17:01:32Z",
            "versions": [
                "0.0.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @checkrhq/adjudication-api-client

Package

Name
@checkrhq/adjudication-api-client
View open source insights on deps.dev
Purl
pkg:npm/%40checkrhq/adjudication-api-client

Affected ranges

Affected versions

0.*
0.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "a597b12e44707978fb72a4529ac01770e8a3561379e5527f6f09071588dbd0bf",
            "tlsh": "7fe0c0602910a5337bd907a21824818fff74fd0fcf512c80e797916c0c892354ab710c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "adjudication-api-client-0.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-0MDn4mn+80uHXsDwFL4joTSX0d6vZFqmcQgP0XT5kIyux3iZgCXSUPMdjvFR5QJApU2BXy5qhzB9qYm5T2eZRA==",
                "sha1": "31a4f8ebc66b500b47a7e2863c673c8b8d87c1c5"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@checkrhq/adjudication-api-client/MAL-2026-6789.json"