MAL-2023-1111

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/afterpay-sdk-example-server/MAL-2023-1111.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2023-1111
Published
2023-05-03T01:37:43Z
Modified
2026-06-24T03:31:23.592082470Z
Summary
Malicious code in afterpay-sdk-example-server (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7)

package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js requires os/fs/https, then collects host identifiers and installer-side files — __dirname, os.homedir(), os.hostname(), os.userInfo(), DNS servers, the full contents of /etc/passwd and /etc/hosts, and the package.json — and POSTs them over HTTPS to xqrangwae3pk5bd12xbr6t8q9hfc32rr.oastify.com (a Burp Collaborator OAST subdomain). The package name 'afterpay-sdk-example-server' impersonates an internal Afterpay SDK example, consistent with a dependency-confusion payload targeting Afterpay's internal build systems. Whether published as research or attack, any installer running npm install leaks system account data and host fingerprints to an attacker-controlled out-of-band collection endpoint.

Source: ossf-package-analysis (555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c)

The OpenSSF Package Analysis project identified 'afterpay-sdk-example-server' @ 20.0.0 (npm) as malicious.

It is considered malicious because: - The package communicates with a domain associated with malicious activity.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2023-05-03T01:37:43.254364445Z",
            "source": "ossf-package-analysis",
            "import_time": "2023-08-10T06:15:34.688464725Z",
            "sha256": "555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c",
            "versions": [
                "20.0.0"
            ]
        },
        {
            "sha256": "328b2a8f94905ee0b2cc82dfaf2bc08b91fc054f442ec204ff09f65a419a7167",
            "id": "RLMA-2024-00311",
            "source": "reversing-labs",
            "import_time": "2024-06-28T02:41:50.31797239Z",
            "modified_time": "2024-06-25T12:25:05Z",
            "versions": [
                "20.0.0"
            ]
        },
        {
            "sha256": "a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7",
            "id": "IN-MAL-2026-007396",
            "source": "amazon-inspector",
            "import_time": "2026-06-24T03:14:01.252380856Z",
            "modified_time": "2026-06-24T02:39:16Z",
            "versions": [
                "1.2.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / afterpay-sdk-example-server

Package

Name
afterpay-sdk-example-server
View open source insights on deps.dev
Purl
pkg:npm/afterpay-sdk-example-server

Affected ranges

Affected versions

1.*
1.2.1
20.*
20.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "3a41259592c917330dd110c0660c70812359fa777259d8d076cf42d6af869f8b7316f3",
            "sha256": "dda06ca44061b7a005ca1500165416d1144f6edcfc156a1063ccd5b1f5632ac1"
        },
        {
            "path": "package.json",
            "tlsh": "10d05e208e62953325c102aa0c2ba44673a18e2f14153c08a7cb192d818f67798ff35e",
            "sha256": "c22ab3825f9ec804d68cb62b820cf64dbec063fd77636063e684076559ad2f0f"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/afterpay-sdk-example-server/MAL-2023-1111.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]