-= Per source details. Do not edit below this line.=-
package.json declares a preinstall lifecycle script that runs curl -X POST against a hardcoded webhook.site collector URL (https://webhook.site/54919426-084d-4288-8f80-e36ae5c76e32), passing the installer's hostname and a timestamp as query parameters. The exfiltration fires automatically on npm install before any consumer code runs. The destination is an anonymous, author-controlled request-inspection endpoint with no legitimate role in the package's advertised functionality.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010670",
"sha256": "4a9d9e454c08fdafa531ee74a3bc52513d5bc39413810db4a6371494872984f8",
"import_time": "2026-07-15T11:33:39.793449715Z",
"modified_time": "2026-07-15T10:39:15Z",
"source": "amazon-inspector",
"versions": [
"3.0.1"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "ac-raf-emitter-3.0.1.tgz",
"hashes": {
"sha1": "4cfed9621a823b278169bea1f81fb7a0cfcf199f",
"sha512_sri": "sha512-LEe6A/OtQhWQaLEAZcZR78xlhYiNz95FVSRcnjNiRSG8MnZPmAyqKO4ChkQlzb0eMBfSXzdRmzIFrhrxqq+6TQ=="
}
}
],
"evidence_files": [
{
"tlsh": "d3d02b7cdc30f53314c502f89c76c50adad1976b9545ae0cb7835038821d1f7697a70d",
"sha256": "6da3cd3f64769c16068e1454599acf7704534b0b8f05b83ef2fae823158a39c1",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac-raf-emitter/MAL-2026-10675.json"