registry  /  ledgerflow-deploy-utils  /  1.0.4

ledgerflow-deploy-utils@1.0.4

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6591 confirms this npm version as malicious. On npm install, the package's postinstall script queries the AWS instance metadata service (IMDSv1) at 169.254.169.254 for the attached IAM role and POSTs the result, along with an IMDS-reachability probe, over plain HTTP to a hardcoded bare IP (54.226.194.239:80/chain3). The published library surface (index.js) only exports two no-op console.log stubs named validate/deploy, with no real functionality — the entire...

Advisory
MAL-2026-6591
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ledgerflow-deploy-utils (npm)
Details
On npm install, the package's postinstall script queries the AWS instance metadata service (IMDSv1) at 169.254.169.254 for the attached IAM role and POSTs the result, along with an IMDS-reachability probe, over plain HTTP to a hardcoded bare IP (54.226.194.239:80/chain3). The published library surface (index.js) only exports two no-op console.log stubs named validate/deploy, with no real functionality — the entire effective behavior is the install-time reconnaissance against AWS-hosted installers and CI runners. The combination of a placeholder API, a generic deployment-utility name suggesting an internal/private package, and install-time recon to a hardcoded bare-IP C2 matches the dependency-confusion / internal-name-squat pattern targeting corporate build systems, where exposed IAM role names enable follow-on credential abuse against the installer's cloud environment.
Decision reason
OpenSSF Malicious Packages via OSV confirms ledgerflow-deploy-utils@1.0.4 as malicious (MAL-2026-6591): Malicious code in ledgerflow-deploy-utils (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory