MAL-2026-10675

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac-raf-emitter/MAL-2026-10675.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10675
Published
2026-07-15T10:39:15Z
Modified
2026-07-15T11:49:26.504532177Z
Summary
Malicious code in ac-raf-emitter (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4a9d9e454c08fdafa531ee74a3bc52513d5bc39413810db4a6371494872984f8)

package.json declares a preinstall lifecycle script that runs curl -X POST against a hardcoded webhook.site collector URL (https://webhook.site/54919426-084d-4288-8f80-e36ae5c76e32), passing the installer's hostname and a timestamp as query parameters. The exfiltration fires automatically on npm install before any consumer code runs. The destination is an anonymous, author-controlled request-inspection endpoint with no legitimate role in the package's advertised functionality.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010670",
            "sha256": "4a9d9e454c08fdafa531ee74a3bc52513d5bc39413810db4a6371494872984f8",
            "import_time": "2026-07-15T11:33:39.793449715Z",
            "modified_time": "2026-07-15T10:39:15Z",
            "source": "amazon-inspector",
            "versions": [
                "3.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ac-raf-emitter

Package

Affected ranges

Affected versions

3.*
3.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ac-raf-emitter-3.0.1.tgz",
            "hashes": {
                "sha1": "4cfed9621a823b278169bea1f81fb7a0cfcf199f",
                "sha512_sri": "sha512-LEe6A/OtQhWQaLEAZcZR78xlhYiNz95FVSRcnjNiRSG8MnZPmAyqKO4ChkQlzb0eMBfSXzdRmzIFrhrxqq+6TQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "d3d02b7cdc30f53314c502f89c76c50adad1976b9545ae0cb7835038821d1f7697a70d",
            "sha256": "6da3cd3f64769c16068e1454599acf7704534b0b8f05b83ef2fae823158a39c1",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac-raf-emitter/MAL-2026-10675.json"