mal-2026-6716
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec)
On npm install, the package's postinstall script (node demo-clean.js) auto-executes two installer-side actions without consent. First, openDemo() platform-branches via execSync to open https://github.com/X3r0Day/BunnyHijack in the installer's default browser and to spawn the OS calculator (calc on Windows, open -a Calculator on macOS, gnome-calculator/kcalc on Linux) — the canonical calc.exe proof of unauthenticated code execution on the installer's host. Second, cleanup() walks every ancestor directory of INIT_CWD, process.cwd(), and the user's home directory, calling fs.rmSync(..., {recursive:true, force:true}) against paths inside each ancestor's node_modules, node_modules/.pnpm, node_modules/.bin/node* shims, ~/.npm/_npx, ~/.bun/install/cache, and tmpdir entries; cleanupPackageJson() then reads each ancestor package.json and rewrites it via fs.writeFileSync after deleting matching entries from dependencies, devDependencies, optionalDependencies, and peerDependencies. The destructive recursive-force-rm operates well outside the package's own directory and reaches the user's home tree, and the spawned-process primitive can be retargeted to any binary in a future release.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "package.json",
"sha256": "8f7a41070899d5ceb3cd3a6efd35364f45943b1b41a0f8a01010993f897e48d1",
"tlsh": "1ed02b448861467324cd38615d399403a7380b4780153c2c62d71099aa497bb04b9265"
},
{
"path": "shim.js",
"sha256": "e4ae6c862f2fcf3c6440c966cd74bd9f07a06be072bd301df27ae0848aa50adb",
"tlsh": "3331726796a197f42de04dc2a487482174abc723b205ffb881ced1536b8a41702fb4f9"
}
],
"package_integrity": [
{
"filename": "test-pkg-pnpm-1.0.1.tgz",
"hashes": {
"sha1": "b399121b46ab19bca631a7c8234653a187e9a343",
"sha512_sri": "sha512-Jki+8yoVYBSIpTuE83uAVs1P1+sB7zGchYs0/a6Ehyc2FFIBXxtxeRKEMgN/paXXit0sHpH3rMCizPaOluUlgw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "test-pkg-pnpm"
},
"versions": [
"1.0.1",
"1.0.4"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007894",
"import_time": "2026-07-01T21:04:20.562853387Z",
"modified_time": "2026-07-01T20:47:27Z",
"sha256": "8ee6a2ba8d90a67199eae146b7688190adb974ce5aa1be7c07d56e2e3999d270",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-007893",
"import_time": "2026-07-01T21:04:20.500515222Z",
"modified_time": "2026-07-01T20:47:19Z",
"sha256": "ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ae5df84cbdf3092d5f7b8f405248144eacdf5119c756c97726974e547810ebec)\nOn `npm install`, the package\u0027s `postinstall` script (`node demo-clean.js`) auto-executes two installer-side actions without consent. First, `openDemo()` platform-branches via `execSync` to open https://github.com/X3r0Day/BunnyHijack in the installer\u0027s default browser and to spawn the OS calculator (`calc` on Windows, `open -a Calculator` on macOS, `gnome-calculator`/`kcalc` on Linux) \u2014 the canonical `calc.exe` proof of unauthenticated code execution on the installer\u0027s host. Second, `cleanup()` walks every ancestor directory of `INIT_CWD`, `process.cwd()`, and the user\u0027s home directory, calling `fs.rmSync(..., {recursive:true, force:true})` against paths inside each ancestor\u0027s `node_modules`, `node_modules/.pnpm`, `node_modules/.bin/node*` shims, `~/.npm/_npx`, `~/.bun/install/cache`, and tmpdir entries; `cleanupPackageJson()` then reads each ancestor `package.json` and rewrites it via `fs.writeFileSync` after deleting matching entries from `dependencies`, `devDependencies`, `optionalDependencies`, and `peerDependencies`. The destructive recursive-force-rm operates well outside the package\u0027s own directory and reaches the user\u0027s home tree, and the spawned-process primitive can be retargeted to any binary in a future release.\n",
"id": "MAL-2026-6716",
"modified": "2026-07-01T21:06:12Z",
"published": "2026-07-01T20:47:19Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/test-pkg-pnpm/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/test-pkg-pnpm/v/1.0.4"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in test-pkg-pnpm (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.