MAL-2026-10178

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@broadpeak/smartlib-ad/MAL-2026-10178.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10178
Published
2026-07-10T22:43:23Z
Modified
2026-07-10T23:01:54.273583209Z
Summary
Malicious code in @broadpeak/smartlib-ad (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js loads child_process/os/https, runs whoami and id, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the @broadpeak scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289",
            "id": "IN-MAL-2026-009727",
            "import_time": "2026-07-10T22:50:19.092147104Z",
            "modified_time": "2026-07-10T22:43:23Z",
            "versions": [
                "24.1.10"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @broadpeak/smartlib-ad

Package

Name
@broadpeak/smartlib-ad
View open source insights on deps.dev
Purl
pkg:npm/%40broadpeak/smartlib-ad

Affected ranges

Affected versions

24.*
24.1.10

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "8f8c3fdb9d25887f5261526b88affa83cedc58dfcdd4658d238ab1c27dc0a4f6",
            "tlsh": "24515fc505f69a291ba7b8494a4f9402b227e0033646de55bfcc8740af9537c9bf0bf2",
            "path": "index.js"
        },
        {
            "tlsh": "a2d05e344e21553339c22692182aa5467661cf2f04047c0563db582d518e27798ff71d",
            "sha256": "03bf1a4818f0ed90787664df6f821dc0b5418660e2469707e9ab7a188309af63",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "smartlib-ad-24.1.10.tgz",
            "hashes": {
                "sha512_sri": "sha512-XSRl5W1xCuzJxQB6YcUlkQnxtUCXLoKPw+jT24b4YE5NYNYQ0B+gUHSfuyrRW/TasUS1dEJOCspYugPuhof/SA==",
                "sha1": "aab1dfbc34385f7f35ea3e784362860817786a8a"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@broadpeak/smartlib-ad/MAL-2026-10178.json"