MAL-2026-3028

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/amplitude-ma-ts/MAL-2026-3028.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3028

Published

2026-04-24T05:40:43Z

Modified

2026-04-24T06:17:58.970727Z

Summary

Malicious code in amplitude-ma-ts (npm)

Details

npm stealer. Hardcoded Discord webhook id 1497047226428690432 in postinstall Folder/bin/S.js. Exfils {hostname, whoami, pwd, publicip (api.ipify.org), /etc/hosts} via Discord embed. v1.0.21 empty placeholder, v1.0.22 shipped payload — name-squat-then-poison. Typosquats @amplitude/* analytics scope. Maintainer 4senna <bugbounty4senna+1@gmail.com> (Gmail plus-alias throwaway). Score 20, signals: installhook + nodejsphonehome + iplookupwebsite + discordbot + discordexfil + exfilwhoami_hostname. Report: data/reports/research-threat-analysis/reports/2026-04-24-amplitude-ma-ts.md

Database specific

{
    "malicious-packages-origins": null
}

References

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / amplitude-ma-ts

Package

Name: amplitude-ma-ts; View open source insights on deps.dev
Purl: pkg:npm/amplitude-ma-ts

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/amplitude-ma-ts/MAL-2026-3028.json"