MAL-2025-5455

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/red-bull-venue-tools/MAL-2025-5455.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-5455
Published
2025-06-22T15:32:21Z
Modified
2026-07-08T21:46:51.747088544Z
Summary
Malicious code in red-bull-venue-tools (npm)
Details

The package communicates with a domain associated with malicious activity.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b)

package.json declares preinstall=node index.js, which fires automatically on npm install. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), whoami and id shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every npm install of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b",
            "id": "IN-MAL-2026-008599",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T21:27:49.425518565Z",
            "modified_time": "2026-07-08T20:34:16Z",
            "versions": [
                "19.2.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / red-bull-venue-tools

Package

Name
red-bull-venue-tools
View open source insights on deps.dev
Purl
pkg:npm/red-bull-venue-tools

Affected ranges

Type
SEMVER
Events
Introduced
9.9.9

Affected versions

19.*
19.2.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "525140c516f65a251ba7b8494a4f9002a327e0033509ee55bfcc8340af9937c9bf0bf6",
            "sha256": "5ad438bc2656321332a7ab460fc3349900ad58f51ef9394cfb9a53a3b6e6703f"
        },
        {
            "path": "i",
            "tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
            "sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a"
        }
    ],
    "package_integrity": [
        {
            "filename": "red-bull-venue-tools-19.2.1.tgz",
            "hashes": {
                "sha1": "c2a716b21f1feea01f6fe8180711fe10f27db350",
                "sha512_sri": "sha512-hEcbw1tdo0ddRdza5P1/mrM6igy/fBX0ZZHc5dZtCDXh1CL5wVHVUHmnZjW6YeeFtuTSY3Gt55vWVK4MM0t1jQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/red-bull-venue-tools/MAL-2025-5455.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]