MAL-2026-10200

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/api-changelly/MAL-2026-10200.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10200
Published
2026-07-12T20:46:51Z
Modified
2026-07-12T21:01:54.145006050Z
Summary
Malicious code in api-changelly (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c)

The package declares preinstall: node index.js, which runs automatically on npm install. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes whoami and id via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56. The package name api-changelly impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private changelly-family dependency to this public package.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c",
            "id": "IN-MAL-2026-009757",
            "import_time": "2026-07-12T20:48:33.549270104Z",
            "modified_time": "2026-07-12T20:46:51Z",
            "versions": [
                "19.2.11"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / api-changelly

Package

Affected ranges

Affected versions

19.*
19.2.11

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "api-changelly-19.2.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-Kd9Th2X8xB5P4IhMYp+jrYxIMhuoJOuTA47rFLhR7PWaj6IdsWH3iEH70QkwuGoE1xSmPBsraU0UF1Z90xQLzw==",
                "sha1": "ab3085ad2a1819a7692f77c63ca919d9f36893ba"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "9da89e1cfd4a5fadc51e63f0064bb3535e4f21f82572f4de2e82e9e88d29f965",
            "tlsh": "755141c515fa56241ba7b8494a4f9002a327e0033905de55bfcc8740af9937c97f0bf2",
            "path": "index.js"
        },
        {
            "sha256": "b923d6ac85d73e151c9f6522c7eabefff93802dc070710f8828f08dc0ead2adf",
            "tlsh": "56d0a7748e21553369c502624c2ba44772b19f6f14147c0463df592d52ce67798ff30d",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/api-changelly/MAL-2026-10200.json"