MAL-2026-10203

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/giantswarm/MAL-2026-10203.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10203
Published
2026-07-12T20:47:05Z
Modified
2026-07-12T21:01:53.336612881Z
Summary
Malicious code in giantswarm (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (75f3a244f2761c56347f695897a491d23ab04cafe1e5b0e46fd7d0d2c993f828)

The package declares a preinstall hook (node index.js) that runs automatically on npm install. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, whoami, id, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name giantswarm impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private @giantswarm/* scopes.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "75f3a244f2761c56347f695897a491d23ab04cafe1e5b0e46fd7d0d2c993f828",
            "modified_time": "2026-07-12T20:47:05Z",
            "import_time": "2026-07-12T20:48:33.592158351Z",
            "id": "IN-MAL-2026-009758",
            "versions": [
                "22.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / giantswarm

Package

Affected ranges

Affected versions

22.*
22.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/giantswarm/MAL-2026-10203.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "giantswarm-22.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-HiN5slo29jCjLaDsrVkHLWMOLGODPXPPfGCDV9Gjr6R/GG1CVwrGoG6/ppxxe7qSY/L30FGL60EM3Shsh1kK7w==",
                "sha1": "a0a230d2566d59eb7ba261e854f38f8ba4ae5666"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "3c3a2ebdbdc414aac7ddf6ee6fbfd0fdd4a1320c180231c5f760e7f605c3644b",
            "tlsh": "4f5150d515f65a251b67b8494a4f9402a327e0033509de55bfcc8340af9537c9bf0bf2"
        },
        {
            "path": "package.json",
            "sha256": "6835a2008f27ae6cb55a7fbd681dc344257350dc23f4098ce08fbae07b258581",
            "tlsh": "7ed05e244d21552325c102924c2a9446b2618e2b04147c08678b182c818e67798ff31c"
        }
    ]
}