-= Per source details. Do not edit below this line.=-
package.json declares a postinstall script that runs node index.js. On npm install, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.
{
"malicious-packages-origins": [
{
"versions": [
"99.9.9"
],
"id": "IN-MAL-2026-009753",
"import_time": "2026-07-12T20:48:33.354486684Z",
"modified_time": "2026-07-12T20:45:28Z",
"sha256": "745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "66282b09f7caaa5bf5e8f452563b22bfb584809882a181a7ac1901e65a86d664",
"tlsh": "13f0ddf085b186604ffe51d4a04cbc1e2263e201b44fa990e5c443645fc5ae458f2de5",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "bugexploit-99.9.9.tgz",
"hashes": {
"sha512_sri": "sha512-bblnHNtPANP4owGGw8+mneAdaLIh74uTWf1fSpjq4RtocBWtlc0Tes9mBoWVEE4QWFawEMeemaOoe43k7iYUXA==",
"sha1": "30f96c42e0b83c076e369f7553cf768d27da208a"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bugexploit/MAL-2026-10201.json"