MAL-2026-10551

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/elsisi-cli/MAL-2026-10551.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10551
Published
2026-07-14T05:09:30Z
Modified
2026-07-15T19:06:40.193391661Z
Summary
Malicious code in elsisi-cli (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4deec3de3ca46a57023580a81da870e3ce444a691ad6f42f5217abe206ef448a)

package.json declares preinstall and postinstall lifecycle scripts that invoke wget against https://webhook.site/d5968c3d-d0d7-46c4-9305-a726b24fce9c/, passing the installer's current working directory and hostname as query-string parameters ($(pwd), $(hostname)). Both beacons fire automatically on npm install. The tarball ships only package.json (371 bytes); the declared main entry index.js is absent and no source, README, or functionality accompanies the lifecycle hooks, so the package's only effect on install is the outbound beacon to the attacker-controlled webhook.site collector.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010393",
            "versions": [
                "9.9.9"
            ],
            "sha256": "4deec3de3ca46a57023580a81da870e3ce444a691ad6f42f5217abe206ef448a",
            "source": "amazon-inspector",
            "modified_time": "2026-07-14T05:09:30Z",
            "import_time": "2026-07-14T05:49:19.147844657Z"
        }
    ]
}
References
Credits

Affected packages

npm / elsisi-cli

Package

Affected ranges

Affected versions

9.*
9.9.9

Database specific

cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "elsisi-cli-9.9.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-jFVEC9v8QalzXViumrl8Ok1qtPn41NA91AQDZjcY/wmzHIo/ILLaxyJe/TrlcCQ1Uaskr9NPQv/jmhGwzjGOgg==",
                "sha1": "75adf9c7d12923a7a3c040f419a734d3f744a0da"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "7d615e7391bd723b7cecaeefd6231ef326fae4ca7be39bb28005089b8c1e57bd",
            "tlsh": "29e06871c0106f3329c603e42543480ae2e3ef0a64092e0cebf3c9b50148c76107c79e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/elsisi-cli/MAL-2026-10551.json"