MAL-2026-10764

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syft-acp-atoms/MAL-2026-10764.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10764
Aliases
  • GHSA-j5f4-f3f3-634h
Published
2026-07-16T00:00:00Z
Modified
2026-07-18T02:04:36.567418023Z
Summary
Malicious code in syft-acp-atoms (npm)
Details

The syft-acp-atoms package was published to the npm registry by user 'ada8877' (maintainer email k3mlol@proton.me) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the 'syft-acp' internal/private package naming convention (an ACP component library) of a target organization, so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.

The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.

Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical to the earlier 'click2ai' campaign, sharing the same Sentry organization (o4510485815754752) and a related ProtonMail maintainer identity, and differs only in the package name and target DSN. This package's beacon targets Sentry project 4511744089718784.


-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (1350f5cfd87853429f8b7110a5819002a86be8590dfb1d6b3bb4698f69836975)

The syft-acp-atoms package was published to the npm registry by user 'ada8877' (maintainer email k3mlol@proton.me) as part of a dependency-confusion / reconnaissance campaign. The package name mimics the 'syft-acp' internal/private package naming convention (an ACP component library) of a target organization, so that a misconfigured resolver installs this public lookalike instead of the intended private dependency.

The package declares a preinstall hook ("npm install @sentry/node && node examples/verify.js") that executes automatically at npm install time, before any application code runs. The bundled examples/verify.js initializes the @sentry/node client against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii enabled, resolves the installing host's public egress IP address by requesting Cloudflare's /cdn-cgi/trace endpoint (using a spoofed desktop-browser User-Agent to bypass bot challenges), then deliberately triggers a runtime exception and captures it. Flushing the event beacons the collected host telemetry (public IP plus Sentry default PII such as hostname, OS username and runtime/environment metadata) to the attacker's Sentry ingest endpoint at o4510485815754752.ingest.us.sentry.io.

Each impersonated namespace in the campaign beacons to a distinct Sentry project ID, letting the operator attribute successful installs to specific victim organizations — behaviour consistent with a dependency-confusion reconnaissance beacon rather than legitimate error monitoring. The install-time payload is byte-for-byte identical to the earlier 'click2ai' campaign, sharing the same Sentry organization (o4510485815754752) and a related ProtonMail maintainer identity, and differs only in the package name and target DSN. This package's beacon targets Sentry project 4511744089718784.


Credit: OpenSSF (source)

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-18T01:23:11Z",
            "sha256": "1350f5cfd87853429f8b7110a5819002a86be8590dfb1d6b3bb4698f69836975",
            "import_time": "2026-07-18T01:54:31.683284668Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0.0.1-0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "id": "GHSA-j5f4-f3f3-634h"
        }
    ]
}
References
Credits

Affected packages

npm / syft-acp-atoms

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Type
SEMVER
Events
Introduced
0.0.1-0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
iocs
{
    "urls": [
        "https://e82e1244d311e1f83fd57d89db4d62a3@o4510485815754752.ingest.us.sentry.io/4511744089718784"
    ],
    "domains": [
        "o4510485815754752.ingest.us.sentry.io"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syft-acp-atoms/MAL-2026-10764.json"