MAL-2026-10678

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ls-env-config/MAL-2026-10678.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10678
Published
2026-07-15T11:30:22Z
Modified
2026-07-15T11:49:25.975693145Z
Summary
Malicious code in ls-env-config (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c)

Package declares a preinstall script (node./index.js) that fires automatically on npm install. The executed index.js issues an HTTP GET to a Burp-Collaborator-style subdomain at 85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T11:30:22Z",
            "sha256": "db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-07-15T11:33:40.326746497Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010677"
        }
    ]
}
References
Credits

Affected packages

npm / ls-env-config

Package

Affected ranges

Affected versions

1.*
1.0.5

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ls-env-config-1.0.5.tgz",
            "hashes": {
                "sha1": "9625d3efc307005c9d0f777c59545c16a00b9cfb",
                "sha512_sri": "sha512-8//Iv8ey6Q3Rw5YP6vGUyyIOLgivceT1xWVcw878XP7ZMSUot+b3nHWOjjpyAB6Qdiw4CO/ZIui+JBiz6t1/aQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "12b0123cc287660ad971704091bc0156910c4943c9c2d1e337652dab39566610de06f0",
            "sha256": "e3ec83c7a3415ebc86e382f518496f6d6b6336e7f89c33bebb1ea6e29a22ffbb",
            "path": "index.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ls-env-config/MAL-2026-10678.json"