MAL-2026-10095

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fury_frontend-andes-ui/MAL-2026-10095.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10095
Published
2026-07-09T20:40:26Z
Modified
2026-07-10T15:33:27.555975888Z
Summary
Malicious code in fury_frontend-andes-ui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37)

The package's postinstall hook auto-executes index.js on npm install. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.5"
            ],
            "id": "IN-MAL-2026-009396",
            "import_time": "2026-07-09T21:03:50.781166041Z",
            "modified_time": "2026-07-09T20:40:26Z",
            "sha256": "29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.9.6"
            ],
            "id": "IN-MAL-2026-009612",
            "import_time": "2026-07-10T15:23:37.003792875Z",
            "sha256": "b1aefe94fdc715e7ebd113a5ee7389e98dac714fdeae3df64fc0168d60325319",
            "modified_time": "2026-07-10T15:18:00Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / fury_frontend-andes-ui

Package

Name
fury_frontend-andes-ui
View open source insights on deps.dev
Purl
pkg:npm/fury_frontend-andes-ui

Affected ranges

Affected versions

99.*
99.9.5
99.9.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "fury_frontend-andes-ui-99.9.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-0bLkiPOsPNw1i5rFLin1fkul5fmZ7HoetDDhFp4EBUUfYIBsenXWsWrC5L8w4f+EEUslRItgGT7v7rASY9rzMw==",
                "sha1": "065e4280136fb4c7c6a1c5dfeec4dce69dc96f87"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "7bc8f8d3dfd900f28b5d7bff66f0985294a2a9e4048152f776f7e224c8ebf58c",
            "tlsh": "5031109465f6611046b658d8108f88193529f003325edfc0fbed43d0afc6578e9b2edd",
            "path": "index.js"
        },
        {
            "sha256": "808cf8d0f187084f88a685dfe6b07f948533e94c046c313a4b7ac075a6a69a30",
            "tlsh": "bbd0a7745c315a3378d456e60966640bb5619d1b0114780d5793245c92dea3748fd60f",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fury_frontend-andes-ui/MAL-2026-10095.json"