OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10038 confirms this npm version as malicious. On `npm install`, the declared preinstall script (preinstall.js) POSTs the installer's full `process.env`, `os.hostname()`, `os.platform()`, cwd, container-detection artifacts (`/.dockerenv`, `/proc/1/cgroup`, `/proc/self/mountinfo`), and the output of shell reconnaissance commands (`id`, `whoami`, `hostname`, `ps aux`) to `http://101.35.44.248` over plain HTTP...
Advisory
MAL-2026-10038
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in antsrcsrctest (npm)
Details
On `npm install`, the declared preinstall script (preinstall.js) POSTs the installer's full `process.env`, `os.hostname()`, `os.platform()`, cwd, container-detection artifacts (`/.dockerenv`, `/proc/1/cgroup`, `/proc/self/mountinfo`), and the output of shell reconnaissance commands (`id`, `whoami`, `hostname`, `ps aux`) to `http://101.35.44.248` over plain HTTP. The script additionally issues `curl` requests to the Alibaba Cloud instance metadata service at `100.100.100.200`, including the `latest/meta-data/ram/security-credentials/` path that returns temporary IAM credentials for the instance role, and forwards the response to the same attacker endpoint. The package advertises itself as "a simple date formatting utility" and index.js contains only a 7-line date formatter, confirming a decoy cover story for install-time credential theft and environment exfiltration.
Decision reason
OpenSSF Malicious Packages via OSV confirms antsrcsrctest@1.0.0 as malicious (MAL-2026-10038): Malicious code in antsrcsrctest (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory