MAL-2026-10128

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ohcm-culture-formatting/MAL-2026-10128.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10128
Published
2026-07-10T15:19:50Z
Modified
2026-07-10T15:32:11.574891364Z
Summary
Malicious code in ohcm-culture-formatting (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631)

ohcm-culture-formatting@5.0.0 declares a preinstall hook ("preinstall": "node index.js") that auto-executes on npm install. index.js uses child_process.exec to run a shell pipeline that reads /etc/passwd, /etc/hosts, /etc/shadow, and id output, base64-encodes the concatenation, and POSTs it via curl to http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/, embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion (ohcm-*) namespace and the description string is Lifion host, consistent with a dependency-confusion payload targeting that internal namespace.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "5.0.0"
            ],
            "id": "IN-MAL-2026-009616",
            "import_time": "2026-07-10T15:23:37.489355542Z",
            "modified_time": "2026-07-10T15:19:50Z",
            "sha256": "5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / ohcm-culture-formatting

Package

Name
ohcm-culture-formatting
View open source insights on deps.dev
Purl
pkg:npm/ohcm-culture-formatting

Affected ranges

Affected versions

5.*
5.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ohcm-culture-formatting-5.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-RGxxbV0Qz51+MdMT2pzWym7Zfw899jrOysBuLKQFpp9TuebbgIOaPVqS/VN90BDGO1bcZ0GnoQqxHN55pbOo0g==",
                "sha1": "373786503bc394d3157c85a86aed0efc985bd198"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "85d59d10b0659cb610dee579a9b4f1df5cd6008355555958bf18fec8d778ed79",
            "tlsh": "48f0074a08f8dc31b6a9087ceb04081b7b0bfac04022b34228af0908339c998802a1b3",
            "path": "index.js"
        },
        {
            "sha256": "bb0e4c6d9678484a87c31df0226c8c9e3207057def3ddebc7108f7dea20524c1",
            "tlsh": "7cd095580a55b735250189d0acfd5c4763f9537c004c580098cb0434c09a7fbc56e77b",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ohcm-culture-formatting/MAL-2026-10128.json"