MAL-2026-5578
Malicious code in webpack-cache-clean (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9) On `npm install`, the package runs a postinstall hook (`node -e "require('./loader.js')"`) that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a `manifest.session` field, writes it to a temp file, and `require()`s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is `webpack-cache-clean`, the README is titled `webpack-cache-plugin`, the repository URL points at `webpack-tools/webpack-cache-plugin`, and the author is the generic `Webpack Tools` — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.
## Source: ghsa-malware (6f98923d9f08741f534522f4b816b09d5953f8d73ddbaef49710ba42236a9cff) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for webpack-cache-clean (npm). Pin to a known-safe version or switch to an alternative.