MAL-2026-5461
Malicious code in fhirproxy-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (405cf847121f4bfed32bc5679a40b64c1338b142af75823ef9583944a7ae7b5a) On `npm install` (via the `prepare` lifecycle hook and many other lifecycle aliases) and on `require()`, index.js performs broad reconnaissance and exfiltration of the installer's environment. It collects hostname, username, architecture, working-directory tree, network interfaces, /etc/resolv.conf, process list,.git/HEAD, UID/GID, project package.json metadata, ~/.npmrc registry/scope configuration, the developer's git identity (via `git config --global user.email`), CI/CD environment variables (GITHUB_*, GITLAB_*, AWS_*, CIRCLE_*, etc.), and the presence of ~/.ssh, ~/.aws, ~/.kube. When running on a cloud instance it queries the IMDS endpoint at 169.254.169.254 (stored as the decimal-encoded host `2852039166`), obtains an IMDSv2 token, fetches the IAM role and temporary STS credentials, and includes the first 40 characters of the access token in the payload; equivalent paths exist for Azure and GCP metadata. It also performs DNS reconnaissance against internal-only hostnames (kubernetes.default.svc.cluster.local, vault.internal, consul.service.consul, gitlab.local, jenkins.local, redis.internal, etc.) to map the victim's internal network. Collected data is base64-encoded, fragmented, and exfiltrated via chunked HTTPS GET requests to `momo-rest.lapxa354.workers.dev` (a Cloudflare Workers C2 endpoint), with the destination obscured via `Buffer.from("bW9tby1yZXN0LmxhcHhhMzU0LndvcmtlcnMuZGV2", "base64").toString()` at index.js:43. The package additionally squats common build-tool command names by declaring `bin` entries for webpack, vite, tsc/tsnode, jest, eslint, gulp, next, turbo, and prettier — all aliased to index.js — and spawns the real local tool (e.g. `webpack-cli`) afterwards to mask the malicious behavior when invoked via PATH or `npx`.
## Source: ghsa-malware (4bebd4a133fd4719ba9fec03a4bcdd3ae5090aa2054beca2e84fa7335dd5c9b7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for fhirproxy-utils (npm). Pin to a known-safe version or switch to an alternative.