MAL-2026-10636

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leviosa86-test/MAL-2026-10636.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10636
Published
2026-07-15T03:25:43Z
Modified
2026-07-15T05:20:00.211930477Z
Summary
Malicious code in leviosa86-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956)

leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh (project-discovery) out-of-band callback domain. The generic package name combined with the anomalous 4.999.0 version bump is the canonical dependency-confusion research/attack shape, where a high version number is published to a public registry to override a private internal package and cause the recon payload to fire in the victim's build.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956",
            "versions": [
                "4.999.0"
            ],
            "id": "IN-MAL-2026-010599",
            "source": "amazon-inspector",
            "modified_time": "2026-07-15T03:25:43Z",
            "import_time": "2026-07-15T04:32:05.00816516Z"
        }
    ]
}
References
Credits

Affected packages

npm / leviosa86-test

Package

Affected ranges

Affected versions

4.*
4.999.0

Database specific

cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "leviosa86-test-4.999.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-8msHxrXPskhL8RymsF9e8lHFXs9+kiHTFPcv+ue8gf6M4m4EUp4o5pACH4IR1rsamGamlDHFUShMgDySu3i6TA==",
                "sha1": "27f0faa2ac3e04da498c6b08e0eb61625e1fb7fd"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "src/poc/index.js",
            "tlsh": "bce0abc47aae1437b3c010819e31200bfe83db6a1ab1d8a4e20981763448b84b0a51e2",
            "sha256": "a93d55cd8499780045f07b664b09d0eabe89dbf77b4e5e963c92d8572ca33290"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leviosa86-test/MAL-2026-10636.json"