MAL-2026-10535
Malicious code in my-empty-package (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (914ffc98ce1f6553e4f9655208318800d0d22663842eb4c9a3d0d51d4f143bdd) package.json declares `postinstall: node index.js`. On `npm install`, index.js branches on `os.platform()` and executes platform-specific shell commands: `osascript` on macOS, `powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE>` on Windows, and `python3 -c 'os.system(...)'` on Linux. After the payload runs, a cleanup step renames a shipped `package.md` over `package.json` and unlinks `index.js` itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for my-empty-package (npm). Pin to a known-safe version or switch to an alternative.