npm · Malicious package advisory
Malwarecms-store-ren
MAL-2026-5364
Malicious code in cms-store-ren (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de) The package's `scripts.install` runs `install.js` on every `npm install`. The script unconditionally POSTs the installer's hostname, OS, and architecture to api.telegram.org using a hardcoded bot token and chat ID (install.js:7 `BOT_TOKEN = '8877182499:...'`, install.js:50-56 builds the message and sends via `sendTelegramMessage()`). On Windows, the same script writes a hidden PowerShell bootstrapper that installs Scoop/Winget and Deno, then executes `deno -A http://77.90.185.225/deee80f30a6921b4.js` — fetching an arbitrary JavaScript payload from a bare-IP HTTP URL and running it with all Deno permissions under a hidden PowerShell window. The package has no legitimate functionality (`index.js` only logs a string; placeholder author `work1`, description `cms install`) and exists solely to deliver the install-time payload. Both install-time host reconnaissance exfiltration and install-time arbitrary remote code execution from attacker infrastructure are present. ## Source: ossf-package-analysis (1e0e43b074cffbde07a16c0b1ae1645b1edebcfa7fe192f6161237b0f011952d) The OpenSSF Package Analysis project identified 'cms-store-ren' @ 1.1.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 1.1.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.