MAL-2026-10205

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/library-explorer/MAL-2026-10205.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10205
Published
2026-07-12T20:47:17Z
Modified
2026-07-12T21:01:53.661194256Z
Summary
Malicious code in library-explorer (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273)

package.json declares preinstall: node index.js. On npm install, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out whoami and (non-Windows) id via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "25.2.1"
            ],
            "id": "IN-MAL-2026-009759",
            "import_time": "2026-07-12T20:48:33.642381506Z",
            "modified_time": "2026-07-12T20:47:17Z",
            "sha256": "28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / library-explorer

Package

Affected ranges

Affected versions

25.*
25.2.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "library-explorer-25.2.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-pPRZb0SmChegNahUt4gyhtmrWHrwdyp+8MUM8WVJ/XNW76huybrE8o7u4k/JOqVNlxWMwjMlsIyJYJUP7hb50A==",
                "sha1": "be274220fdd450b1cc65896fd7c2629df819ad7c"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ca5130c515f655241b67a8494a4f9402a327e0033509de55bfcc8340af8937c97f0bf6",
            "sha256": "4a33f8f2706676a92ea4c159f5cfb4253b36da86d2bb5672809e6419f554702b",
            "path": "index.js"
        },
        {
            "sha256": "21f6e3dffa7719b18e1eb0968fe4d98328260c493183d7ccc627e1dac3f4b430",
            "tlsh": "64d05e244e21553365c10252082b958672628e2b04043c08a7db182c61ce27b98ff35d",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/library-explorer/MAL-2026-10205.json"