MAL-2026-10535
Malicious code in my-empty-package (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (914ffc98ce1f6553e4f9655208318800d0d22663842eb4c9a3d0d51d4f143bdd) package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for my-empty-package (npm). Pin to a known-safe version or switch to an alternative.