MAL-2026-10084

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/conversionvaluemanager/MAL-2026-10084.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10084
Published
2026-07-09T17:00:59Z
Modified
2026-07-09T17:31:59.302277481Z
Summary
Malicious code in conversionvaluemanager (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9)

On npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept ("PoC - Dependency Confusion - Bug Bounty by ha4x0r"), and the package name targets an internal/private package name. Any organization whose build misresolves to this public package leaks host, user, and environment identifiers to the third-party Collaborator endpoint on install. PoC/bug-bounty framing does not change the installer-side impact: the beacon fires on every install.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9",
            "id": "IN-MAL-2026-009360",
            "source": "amazon-inspector",
            "import_time": "2026-07-09T17:19:28.960426558Z",
            "modified_time": "2026-07-09T17:00:59Z",
            "versions": [
                "3.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / conversionvaluemanager

Package

Name
conversionvaluemanager
View open source insights on deps.dev
Purl
pkg:npm/conversionvaluemanager

Affected ranges

Affected versions

3.*
3.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "conversionvaluemanager-3.0.0.tgz",
            "hashes": {
                "sha1": "dd96a7ab22110ff8458ff5a10bfcca9e6eaead42",
                "sha512_sri": "sha512-v5eYv9MQ27vNNjFWjRJoadgOlE9Y9EPY7QVPzwaJ+5HfF9wovie2dWlmDCivObNOS0kDYFiiPSb4fsoayPz0JA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "tlsh": "e7f0acf0a2a5ebb81974a7d0a26a080793bbd1057d5bbcd1daa940986b5c2a402b05f4",
            "sha256": "dadaad150a1789aec709a78a41507ff0d88d2ab999dc6622e3574d9ea5f34b49"
        },
        {
            "path": "package.json",
            "tlsh": "dfd097240e62aa3378c50b860833500f27324e0b020c7c8c13e724a8229e3b74abf31f",
            "sha256": "5c3b9e3047d939f4160b1a93994530150054fdc54004292ba8fa3e5287d5d6a2"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/conversionvaluemanager/MAL-2026-10084.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]