MAL-2026-10086

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dl-pp-latm/MAL-2026-10086.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10086
Published
2026-07-09T17:03:02Z
Modified
2026-07-09T17:31:53.943647002Z
Summary
Malicious code in dl-pp-latm (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716)

Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716",
            "id": "IN-MAL-2026-009375",
            "source": "amazon-inspector",
            "import_time": "2026-07-09T17:19:30.80729264Z",
            "modified_time": "2026-07-09T17:03:02Z",
            "versions": [
                "80.4.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / dl-pp-latm

Package

Affected ranges

Affected versions

80.*
80.4.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "dl-pp-latm-80.4.2.tgz",
            "hashes": {
                "sha1": "2f08415098c1c436a3363ea25a98089761373f10",
                "sha512_sri": "sha512-GErY71T3aJhA/iN4e7dhhAGjya+YmNbs+frbPQiFHkwUsODwz1w8ptwtZB1xnh6QnMxsOH6u9aXsbn7w29SVVA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "b7413398445163608eb187d86911d40af6a6eb7731c487a5f9fe47c02fb36b420b2dbc",
            "sha256": "372af57e73c6d36ea2deb9fcafe7469c3a09849ef18e9ff2b894ba8e8cca425b"
        },
        {
            "path": "package.json",
            "tlsh": "e7e026324c361a2329b006aa887ba956b2a08f3f10349c17b1bf092c91e323198de30d",
            "sha256": "21ff6f483981c8d7a11d2d40faae6c89704891f1886f493a50afb0aa93ae6d93"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dl-pp-latm/MAL-2026-10086.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]