MAL-2026-10459

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/connectedmerchantsserv/MAL-2026-10459.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10459
Published
2026-07-13T17:37:46Z
Modified
2026-07-13T18:16:56.563353484Z
Summary
Malicious code in connectedmerchantsserv (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf)

The package's scripts.install lifecycle hook runs node index.js, which loads lib/core.js. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of oob.sl4x0.xyz prefixed with paypal2 and issues dns.resolve4 queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names (os, dns, userInfo, username, hostname, cwd) and the destination domain are hidden as char-code numeric arrays reconstructed via String.fromCharCode in lib/b02e30.js and lib/6ad264.js to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf",
            "modified_time": "2026-07-13T17:37:46Z",
            "import_time": "2026-07-13T18:10:12.475554015Z",
            "id": "IN-MAL-2026-010271",
            "versions": [
                "9.9.11"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / connectedmerchantsserv

Package

Name
connectedmerchantsserv
View open source insights on deps.dev
Purl
pkg:npm/connectedmerchantsserv

Affected ranges

Affected versions

9.*
9.9.11

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/connectedmerchantsserv/MAL-2026-10459.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "connectedmerchantsserv-9.9.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-aPFh9YNaxIKaKk/ndy8Wf7vdBNCERDEfdPZCJXCL+0mPi6uLx3jNKXogAaoiY/OdpwKIiWdK5tib0w6qQACQiQ==",
                "sha1": "a8ed40359888ec818a98762b3be95cb288b0f6ff"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/core.js",
            "sha256": "397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4",
            "tlsh": "38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96"
        },
        {
            "path": "lib/b02e30.js",
            "sha256": "3daf2ec358d726df0db8f81464e0308fe7c96962198ec5f8d8878fe6334939df",
            "tlsh": "9be068177347c94fa1880bf7b90060a0aa0d8f58a12dc0e6f928678500af443c0c0232"
        }
    ]
}