MAL-2026-10038: Malicious code in antsrcsrctest (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42) On `npm install`, the declared preinstall script (preinstall.js) POSTs the installer's full `process.env`, `os.hostname()`, `os.platform()`, cwd, container-detection artifacts (`/.dockerenv`, `/proc/1/cgroup`, `/proc/self/mountinfo`), and the output of shell reconnaissance commands (`id`, `whoami`, `hostname`, `ps aux`) to `http://101.35.44.248` over plain HTTP. The script additionally issues `curl` requests to the Alibaba Cloud instance metadata service at `100.100.100.200`, including the `latest/meta-data/ram/security-credentials/` path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.
MAL-2026-10038: Malicious code in antsrcsrctest (npm)
Description
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (80da6b239fe02ae1bbf7086d885062181d9ea048490ad77911a63ae4c393cc42) On `npm install`, the declared preinstall script (preinstall.js) POSTs the installer's full `process.env`, `os.hostname()`, `os.platform()`, cwd, container-detection artifacts (`/.dockerenv`, `/proc/1/cgroup`, `/proc/self/mountinfo`), and the output of shell reconnaissance commands (`id`, `whoami`, `hostname`, `ps aux`) to `http://101.35.44.248` over plain HTTP. The script additionally issues `curl` requests to the Alibaba Cloud instance metadata service at `100.100.100.200`, including the `latest/meta-data/ram/security-credentials/` path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10038
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50bac068715ace43587750
Added to database: 07/10/2026, 09:26:24 UTC
Last updated: 07/10/2026, 09:26:24 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.