MAL-2026-10634

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/estore-client/MAL-2026-10634.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10634
Published
2026-07-15T03:57:41Z
Modified
2026-07-15T05:19:51.575773830Z
Summary
Malicious code in estore-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411)

package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/d32804ac-1bbb-4100-ab60-95231dd3251c/, sending the installer's OS username ($(whoami)), current working directory ($(pwd)), and hostname ($(hostname)) as query parameters. This fires automatically on npm install before any user code runs. webhook.site is an anonymous request-collector service; the destination is not associated with a legitimate publisher endpoint. The behavior is host reconnaissance / beaconing consistent with a supply-chain recon stage.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010613",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T04:32:07.043096064Z",
            "sha256": "6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411",
            "versions": [
                "5.0.0"
            ],
            "modified_time": "2026-07-15T03:57:41Z"
        }
    ]
}
References
Credits

Affected packages

npm / estore-client

Package

Affected ranges

Affected versions

5.*
5.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/estore-client/MAL-2026-10634.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "estore-client-5.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-7wVvgNYWrYR6o050cmZIzA2eTsyzCA3LY5MILpYPCVeIYJ+kCUzrU4BwkWK88oN6MAKlCYkYWBWNkJ7pifWp7A==",
                "sha1": "ef2feeadaf7dd5b937f45529084f98a8ef08991b"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "3fdddb67842386261986c68ed621070528a149bf4431ed8ee472d2316001ae4e",
            "tlsh": "38f02d74d9349aa31a834fa01550a50bf592f94fc8c52c0def736258816dbf3187c6b8"
        }
    ]
}