-= Per source details. Do not edit below this line.=-
ohcm-culture-formatting@5.0.0 declares a preinstall hook ("preinstall": "node index.js") that auto-executes on npm install. index.js uses child_process.exec to run a shell pipeline that reads /etc/passwd, /etc/hosts, /etc/shadow, and id output, base64-encodes the concatenation, and POSTs it via curl to http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/, embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion (ohcm-*) namespace and the description string is Lifion host, consistent with a dependency-confusion payload targeting that internal namespace.
{
"malicious-packages-origins": [
{
"versions": [
"5.0.0"
],
"id": "IN-MAL-2026-009616",
"import_time": "2026-07-10T15:23:37.489355542Z",
"modified_time": "2026-07-10T15:19:50Z",
"sha256": "5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "ohcm-culture-formatting-5.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-RGxxbV0Qz51+MdMT2pzWym7Zfw899jrOysBuLKQFpp9TuebbgIOaPVqS/VN90BDGO1bcZ0GnoQqxHN55pbOo0g==",
"sha1": "373786503bc394d3157c85a86aed0efc985bd198"
}
}
],
"evidence_files": [
{
"sha256": "85d59d10b0659cb610dee579a9b4f1df5cd6008355555958bf18fec8d778ed79",
"tlsh": "48f0074a08f8dc31b6a9087ceb04081b7b0bfac04022b34228af0908339c998802a1b3",
"path": "index.js"
},
{
"sha256": "bb0e4c6d9678484a87c31df0226c8c9e3207057def3ddebc7108f7dea20524c1",
"tlsh": "7cd095580a55b735250189d0acfd5c4763f9537c004c580098cb0434c09a7fbc56e77b",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ohcm-culture-formatting/MAL-2026-10128.json"