MAL-2026-10201

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bugexploit/MAL-2026-10201.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10201
Published
2026-07-12T20:45:28Z
Modified
2026-07-12T21:01:54.087620893Z
Summary
Malicious code in bugexploit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92)

package.json declares a postinstall script that runs node index.js. On npm install, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.9"
            ],
            "id": "IN-MAL-2026-009753",
            "import_time": "2026-07-12T20:48:33.354486684Z",
            "modified_time": "2026-07-12T20:45:28Z",
            "sha256": "745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / bugexploit

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "66282b09f7caaa5bf5e8f452563b22bfb584809882a181a7ac1901e65a86d664",
            "tlsh": "13f0ddf085b186604ffe51d4a04cbc1e2263e201b44fa990e5c443645fc5ae458f2de5",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "bugexploit-99.9.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-bblnHNtPANP4owGGw8+mneAdaLIh74uTWf1fSpjq4RtocBWtlc0Tes9mBoWVEE4QWFawEMeemaOoe43k7iYUXA==",
                "sha1": "30f96c42e0b83c076e369f7553cf768d27da208a"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bugexploit/MAL-2026-10201.json"