MAL-2026-10150

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ap3-components-ui/MAL-2026-10150.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10150
Published
2026-07-10T16:47:46Z
Modified
2026-07-10T17:17:01.880548171Z
Summary
Malicious code in ap3-components-ui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5d97e0570ae62fdcbbbd0f4cd4844cf39d0b77a0d4bb346dd6dcb748f0300c43)

Package 'ap3-components-ui' at version 9.999.0 declares a preinstall hook ("node index.js > /dev/null 2>&1") that shells out to collect installer-side identifiers — hostname, current working directory, username, and the installer's public IP (fetched via curl to ifconfig.me) — hex-encodes the collected data, and exfiltrates it as DNS subdomain queries under d987f5ra3q1r1j7ahol0yzuwujwe76i55.oast.fun, an attacker-controlled Interactsh collector. The package name is also embedded in the beacon payload so the operator can correlate which internal name resolved externally. The tarball has an empty description, no README, and no library code beyond the exfil script — the canonical shape of a dependency-confusion squat on an internal package name, published at the sentinel version 9.999.0 to force resolution over any legitimate internal release.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "5d97e0570ae62fdcbbbd0f4cd4844cf39d0b77a0d4bb346dd6dcb748f0300c43",
            "id": "IN-MAL-2026-009657",
            "import_time": "2026-07-10T17:10:14.964726342Z",
            "versions": [
                "9.999.0"
            ],
            "modified_time": "2026-07-10T16:47:46Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / ap3-components-ui

Package

Affected ranges

Affected versions

9.*
9.999.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ap3-components-ui-9.999.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Xc2oI/+OM1cgCnE8XJeq5HdCMCMKkVf3a7BPHZIPGSvXLK/NGwvd+Zlk99engEvvBU7VQb3szqtW5CcKzUMcow==",
                "sha1": "1ce789f054990ee22f512b99c2d2e8bf09f6f0ad"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ec09303e46f5f5c20fe154adc96359d6cb941a32168ddfa2999e23fdc146f47d",
            "tlsh": "65e0f1d4faad963273f01180dc20100f75c3be971cb2cc11520c803e3380b8760689e9",
            "path": "index.js"
        },
        {
            "sha256": "2c60baeb4dcbf61fcef53eb6f935b90ea061b854ce8185a75905d35c6e62c0be",
            "tlsh": "6ce07d345e306e3321c402a6183a5007a3e1cf1b0418bc0567cb051c018e2776cfe31e",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ap3-components-ui/MAL-2026-10150.json"