MAL-2026-10632

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cppt-common/MAL-2026-10632.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10632
Published
2026-07-14T22:16:11Z
Modified
2026-07-15T05:19:50.701463249Z
Summary
Malicious code in cppt-common (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (484688d5963a9246f4fe7a2b5c1c7ebe6bba135a2a5df66b3ab57f44978407b2)

cppt-common@13.1.1 declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js collects host and user identifiers — os.hostname(), os.userInfo(), the output of whoami and id via child_process.exec, platform/arch/memory, cwd, homedir, and shell — and POSTs the collected JSON to a hardcoded endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56. The oastify.com host is a Burp Collaborator out-of-band callback domain used for exfiltration. The package has empty description and author fields and provides no advertised functionality; its only install-time effect is the reconnaissance beacon.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-07-14T22:23:33.989917199Z",
            "sha256": "484688d5963a9246f4fe7a2b5c1c7ebe6bba135a2a5df66b3ab57f44978407b2",
            "modified_time": "2026-07-14T22:16:11Z",
            "versions": [
                "13.1.1"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010586"
        }
    ]
}
References
Credits

Affected packages

npm / cppt-common

Package

Affected ranges

Affected versions

13.*
13.1.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "cppt-common-13.1.1.tgz",
            "hashes": {
                "sha1": "6926be77c70dcd4805f548de0a7fec56af6cb0ce",
                "sha512_sri": "sha512-h6DYfs4IBJJeS2F2R/6nz51WopJxZ6XmNx0WUNnmgAj9hVcns8V3Yi/JDYwuCisngbG5vnyoWAs4L/2kfrGtaQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "955131c515f659251ba7b8494a0f9402a327e0033505de55bfcc8740af9936c9bf0bf6",
            "sha256": "0b11f117bb21140a7a6f707d67f5d82960593281ee144ee4112b6fe1617851d8",
            "path": "index.js"
        },
        {
            "tlsh": "9dd05e345e51652329c50692082ea44662a18f2f09543809a7cb683c92de6779cff31d",
            "sha256": "875c76abf1a9c2ad33739f117fe50f13447905ca1c2f3229f70e23af60df3d6c",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cppt-common/MAL-2026-10632.json"