MAL-2026-10179

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@uwr/colors/MAL-2026-10179.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10179
Published
2026-07-10T22:43:45Z
Modified
2026-07-10T23:01:54.335651718Z
Summary
Malicious code in @uwr/colors (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (91240d8fb55b7ed4730a41f3a334c633bf1a03afb649fd473cad0c0a25312847)

The package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of <hostname>.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com, leaking the hostname to a Burp Suite Collaborator subdomain at npm install time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel. The package's advertised functionality is a trivial 5-entry frozen color constants map under the unscoped-looking @uwr scope ("colors for the unified workflow runtime") with an empty author field, consistent with a dependency-confusion / reconnaissance probe staged against an internal namespace rather than a legitimate library.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.3.6"
            ],
            "id": "IN-MAL-2026-009729",
            "import_time": "2026-07-10T22:50:19.341835068Z",
            "modified_time": "2026-07-10T22:43:45Z",
            "sha256": "91240d8fb55b7ed4730a41f3a334c633bf1a03afb649fd473cad0c0a25312847",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @uwr/colors

Package

Affected ranges

Affected versions

1.*
1.3.6

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "dc3cb96ca7208aef0ff019fa4492cb70385891ad75b63127dbf93b93288ca45f",
            "tlsh": "bbf0ac4d38e329455f5258ec204fb82d751ddea7b09dc088ba8d0ae08f5223859b6a8c",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "6fd37fc8898a9df4434b6537800e3bbe1d5211e6adbe1cd6d43e6be4a5aab63c",
            "tlsh": "00f08b15cab00e3324c8ab2f2c2b8157b6618c9701587d1633c7026c0f8e66b28ff2ad",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "colors-1.3.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-MkiepX7ZYdReFILGGhdYPMJc+aPTNwnjEPKM+NMyuS1XvFQNBHX2ofLP5akNnoVcowu8xvThyW4w+LrhwJhKCA==",
                "sha1": "641fdc8894e11626444aeaf4b44ae972feadffd0"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@uwr/colors/MAL-2026-10179.json"