MAL-2026-10683

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/formatters.ts/MAL-2026-10683.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10683
Published
2026-07-15T15:38:41Z
Modified
2026-07-15T16:49:27.568038986Z
Summary
Malicious code in formatters.ts (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (21827129edc8dbde114c615df656d5a234d1fbcfa5b9f63d5286d781253e8f2b)

The package declares a preinstall hook that runs index.js on npm install. index.js collects host and identity reconnaissance — os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release, memory, CPU count, and the output of the whoami, id, and pwd shell commands — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package name resembles a legitimate formatter/TypeScript module and ships with empty description/author metadata, consistent with a dependency-confusion typosquat lure whose sole purpose is the install-time beacon.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T15:38:41Z",
            "sha256": "21827129edc8dbde114c615df656d5a234d1fbcfa5b9f63d5286d781253e8f2b",
            "versions": [
                "14.2.1"
            ],
            "import_time": "2026-07-15T16:34:35.997967786Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010679"
        }
    ]
}
References
Credits

Affected packages

npm / formatters.ts

Package

Affected ranges

Affected versions

14.*
14.2.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "formatters.ts-14.2.1.tgz",
            "hashes": {
                "sha1": "19b32d30c24b83b27cfca926859ae4720d72f9a6",
                "sha512_sri": "sha512-RKVKC/EKD83uzjEitQalY/LWnVwF+jLyMfkZnWHW0x4MQtT1aoS4Qm6MhYRDKVuFjr6t++jfNz18XEG+9q4kNg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "975130d515f66a241ba7b8494a4f9402a327e0033509ee55bfcc8740af9936c9bf0bf6",
            "sha256": "d258314b1d0fd2121f4e1e06bced026bd7db4cb0b0c1a7ee081ed6106ae89a74",
            "path": "index.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/formatters.ts/MAL-2026-10683.json"