-= Per source details. Do not edit below this line.=-
package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/d32804ac-1bbb-4100-ab60-95231dd3251c/, sending the installer's OS username ($(whoami)), current working directory ($(pwd)), and hostname ($(hostname)) as query parameters. This fires automatically on npm install before any user code runs. webhook.site is an anonymous request-collector service; the destination is not associated with a legitimate publisher endpoint. The behavior is host reconnaissance / beaconing consistent with a supply-chain recon stage.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010613",
"source": "amazon-inspector",
"import_time": "2026-07-15T04:32:07.043096064Z",
"sha256": "6f5f2a664c7576b3cbf04696ddff717d8b3e9b835693035fa56a23035edef411",
"versions": [
"5.0.0"
],
"modified_time": "2026-07-15T03:57:41Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/estore-client/MAL-2026-10634.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "estore-client-5.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-7wVvgNYWrYR6o050cmZIzA2eTsyzCA3LY5MILpYPCVeIYJ+kCUzrU4BwkWK88oN6MAKlCYkYWBWNkJ7pifWp7A==",
"sha1": "ef2feeadaf7dd5b937f45529084f98a8ef08991b"
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "3fdddb67842386261986c68ed621070528a149bf4431ed8ee472d2316001ae4e",
"tlsh": "38f02d74d9349aa31a834fa01550a50bf592f94fc8c52c0def736258816dbf3187c6b8"
}
]
}