MAL-2025-5016

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0vulns-dependency-confusion-poc/MAL-2025-5016.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-5016
Published
2025-06-12T17:49:59Z
Modified
2026-05-13T20:23:24.845001Z
Summary
Malicious code in 0vulns-dependency-confusion-poc (npm)
Details

The package communicates with a domain associated with malicious activity.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3d282025fb2ec1b4012e3b979cec1f66520e643fcadfd2864e54989de50dd00d)

The package.json preinstall script runs wget against an attacker-controlled webhook.site URL, passing $(whoami), $(pwd), and $(hostname) as query parameters, executing automatically on npm install. This matches the npm-lifecycle-external-fetch and credential/telemetry exfiltration patterns (findings a static pattern match, a static pattern match, a static pattern match, a static pattern match, a static pattern match). the analysis confirms contextually that the script performs reconnaissance exfiltration to a non-registry collector, and config.unsafe-perm is set to ensure execution. the analysis further notes that the declared main entrypoint is missing and the tarball contains only package.json — the package exists solely to trigger the beacon, with no legitimate runtime functionality. Self-identification as a 'PoC' does not change the risk to an unintended installer (e.g., via dependency confusion).

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "3d282025fb2ec1b4012e3b979cec1f66520e643fcadfd2864e54989de50dd00d",
            "id": "IN-MAL-2026-002516",
            "import_time": "2026-05-13T20:10:59.478039662Z",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / 0vulns-dependency-confusion-poc

Package

Name
0vulns-dependency-confusion-poc
View open source insights on deps.dev
Purl
pkg:npm/0vulns-dependency-confusion-poc

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "df25c9820813642beda96bfe9125ae273eb44b4dd28c6c8530c4325bef226dc1",
            "tlsh": "4101dd30a220bf2316c55ae11925022bf672fba795112d1cefa71118b32fde1107ca14",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "0vulns-dependency-confusion-poc-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-AW9LFLvjvQqLBQVqDRlUgWn3NeLuTmEu99oJ4CFl2UMOFpGm+k5vVd/WtCqIozaiK+pv0H6hdyKK/o+Cdmuv+w==",
                "sha1": "0ecb0bad360b07068f961dfc7368d0e82aaf81a2"
            }
        }
    ],
    "urls": [
        "https://webhook.site/b8e1f97a-a6a9-4353-bb3b-e9eb416eb996?user=$(whoami"
    ],
    "domains": [
        "webhook.site"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0vulns-dependency-confusion-poc/MAL-2025-5016.json"