MAL-2026-10615

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/smb-common-uikit/MAL-2026-10615.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10615
Published
2026-07-14T19:49:26Z
Modified
2026-07-14T20:49:30.823891533Z
Summary
Malicious code in smb-common-uikit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (66072ca2fc20c19a01d0a2b888d90632a7d9bfdc34a2d1a71b61ad06975eae5c)

package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of whoami, id, and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite Collaborator out-of-band interaction domain, and the unique random subdomain plus install-time host beacon is the canonical dependency-confusion / reconnaissance exfiltration shape.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T19:49:26Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T20:28:24.320017687Z",
            "versions": [
                "15.2.0"
            ],
            "id": "IN-MAL-2026-010554",
            "sha256": "66072ca2fc20c19a01d0a2b888d90632a7d9bfdc34a2d1a71b61ad06975eae5c"
        }
    ]
}
References
Credits

Affected packages

npm / smb-common-uikit

Package

Affected ranges

Affected versions

15.*
15.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "smb-common-uikit-15.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-I/AO9wMK70O/46zBTpxtTYBVtr2x+8H7AW1IiYvjlNnUorPV1n9Bi/hVFufX+N3A3iuhhRXp85HxaHue1JvFsg==",
                "sha1": "42724b4be447cfdfe7fb1830b2f05f739c354094"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "235142c516f659241b67b8494a4f9402a327e0033545ee55bfcc8740af9937c9bf0bf6",
            "path": "index.js",
            "sha256": "4f59d47b9b51db3e0949a24406b7aa569946acf660c9dcd551bef4ae37a37bca"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/smb-common-uikit/MAL-2026-10615.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]