MAL-2026-10625

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@leviosa86com/leviosa86-test/MAL-2026-10625.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10625
Published
2026-07-15T02:11:09Z
Modified
2026-07-15T07:49:19.238545828Z
Summary
Malicious code in @leviosa86com/leviosa86-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979)

Package @leviosa86com/leviosa86-test@5.999.0 ships src/poc/index.js which shells out via child_process.exec to collect host identifiers (hostname, pwd, whoami) and the installer's public IP (curl https://ifconfig.me), then concatenates the collected data into a subdomain label and triggers a DNS lookup (nslookup) against a unique subdomain of oast.site (a d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site Interactsh out-of-band interaction server), exfiltrating host recon over DNS to an attacker-controlled OAST endpoint. package.json declares preinstall: node index.js; a root index.js is not present in the tarball, so the default install may no-op, but the shipped src/poc/index.js payload is unambiguous exfiltration recon and the package name/version shape (@leviosa86com/leviosa86-test@5.999.0, a very high version) matches a namespace-squat / dependency-confusion attempt targeting a private @leviosa86com scope.

Source: ossf-package-analysis (bd27813c19849691d4281fa9d708aee4d3d5136d7178c4d2d3280a5226793e28)

The OpenSSF Package Analysis project identified '@leviosa86com/leviosa86-test' @ 6.2.1 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T03:26:07Z",
            "versions": [
                "6.2.1"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010602",
            "sha256": "13b01aa531b313ead73acfb41f17766937649e9a3036694802aa53ff7d16f4a9",
            "import_time": "2026-07-15T04:32:05.371496258Z"
        },
        {
            "modified_time": "2026-07-15T03:25:58Z",
            "versions": [
                "6.0.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010601",
            "sha256": "27e1ac5cd072c9307baa60fafce25dda228f1f5d8108e37ba1824da8ddd71f14",
            "import_time": "2026-07-15T04:32:05.224151594Z"
        },
        {
            "id": "IN-MAL-2026-010600",
            "versions": [
                "4.999.0"
            ],
            "modified_time": "2026-07-15T03:25:51Z",
            "source": "amazon-inspector",
            "sha256": "3db0b116d212c45c320013968a82a31680729be8821b7069bbc0540b016ce542",
            "import_time": "2026-07-15T04:32:05.107284853Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "5.999.0"
            ],
            "sha256": "96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979",
            "id": "IN-MAL-2026-010603",
            "modified_time": "2026-07-15T03:26:16Z",
            "import_time": "2026-07-15T04:32:05.475516389Z"
        },
        {
            "modified_time": "2026-07-15T02:11:09Z",
            "versions": [
                "6.2.1"
            ],
            "source": "ossf-package-analysis",
            "sha256": "bd27813c19849691d4281fa9d708aee4d3d5136d7178c4d2d3280a5226793e28",
            "import_time": "2026-07-15T07:40:14.520070394Z"
        }
    ]
}
References
Credits

Affected packages

npm / @leviosa86com/leviosa86-test

Package

Name
@leviosa86com/leviosa86-test
View open source insights on deps.dev
Purl
pkg:npm/%40leviosa86com/leviosa86-test

Affected ranges

Affected versions

4.*
4.999.0
5.*
5.999.0
6.*
6.0.0
6.2.1

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "leviosa86-test-6.2.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-LzB8MuC/rvy6Wy1md4XHP8o5gMHosAABNzCwFzoNi4RanNDICTjchwb/0nf+TeyRxKDR+z/GjB6TX1jnj3s16w==",
                "sha1": "5cd1acc4aeb9b1d2d21aee318db8adfee1d01fad"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "src/poc/index.js",
            "sha256": "a93d55cd8499780045f07b664b09d0eabe89dbf77b4e5e963c92d8572ca33290",
            "tlsh": "bce0abc47aae1437b3c010819e31200bfe83db6a1ab1d8a4e20981763448b84b0a51e2"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@leviosa86com/leviosa86-test/MAL-2026-10625.json"