MAL-2026-10620

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ahooks-3.7.8/MAL-2026-10620.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10620
Published
2026-07-14T20:29:21Z
Modified
2026-07-14T21:04:41.334596060Z
Summary
Malicious code in ahooks-3.7.8 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c6816bbe8dc3e7d033a03452f7c1e8f873b97c158165faa863694ee13eb6dd61)

Package published as ahooks-3.7.8 at version 13.1.1 with empty author/description/license impersonates the legitimate ahooks React hooks library. package.json declares a preinstall hook that runs node index.js, which collects the installer's hostname, platform, architecture, username/uid/gid/shell, home directory, current working directory, and the output of whoami and id, and POSTs the JSON to the hardcoded Burp Collaborator subdomain https://q7y246t0aca8jr8vfs8c900s4jaay1mq.oastify.com/detox56. The script auto-executes on npm install without any user interaction.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010563",
            "import_time": "2026-07-14T20:52:49.917081206Z",
            "sha256": "c6816bbe8dc3e7d033a03452f7c1e8f873b97c158165faa863694ee13eb6dd61",
            "versions": [
                "13.1.1"
            ],
            "modified_time": "2026-07-14T20:29:21Z"
        }
    ]
}
References
Credits

Affected packages

npm / ahooks-3.7.8

Package

Affected ranges

Affected versions

13.*
13.1.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ahooks-3.7.8/MAL-2026-10620.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ahooks-3.7.8-13.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-ZMGHXjvgWQvufKHXJYNmW4eKGp8O0iJ9Ai5PHS1f3rxxukxqSVh02P9NMG1xlIv5N1dGOwYtMKG05e1FpgRu6A==",
                "sha1": "9f71385e007dc70f89f8858a15c5e0c40e72d51f"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "a4aba93a6f5a5eed25f92076510ca3fd7f6974121482532706dbf4aecd0fba4a",
            "tlsh": "8d5131c515f65a251ba7b8494a0f9402a327e0033549ee55bfcc8740af9936c9bf0bf6"
        },
        {
            "path": "package.json",
            "sha256": "eac260b4c4b17efb6350786d18b7e28f92740f964f22884d7b6c6e9214221f60",
            "tlsh": "b9d05e345e21a53325c50696482ea44662e1df2f0508780da3cb283cd5de67b98ff31d"
        }
    ]
}