MAL-2026-3323

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paypal-payouts-bridge/MAL-2026-3323.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3323

Published

2026-05-04T00:00:00Z

Modified

2026-05-12T07:57:39.557188Z

Summary

Malicious code in paypal-payouts-bridge (npm)

Details

Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as "Security Research PoC" and execute on preinstall via node index.js, exfiltrating to disposable webhook.site endpoints.

This package targets PayPal-flavored internal naming and performs internal-registry / build-environment discovery. On install it reads /root/.npmrc (token values are partially scrubbed before exfil but the registry URL is kept, revealing the victim's private registry), enumerates neighbor packages under /app/node_modules and /node_modules, and runs npm search paypal --json --limit=20 against whatever registry is configured to enumerate other PayPal-named packages worth targeting. The collected output is POSTed to https://webhook.site/db976f48-5e71-4746-a905-1af291c19c1f tagged event: LINUX_INTERNAL_DISCOVERY. Source contains Indonesian-language operator comments matching the rest of the campaign.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f69cc5cfb5a8e0c84e7387ea072e9fe786cb914071d10fa048e61a144546a4f9)

The package paypal-payouts-bridge was found to contain malicious code.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "f69cc5cfb5a8e0c84e7387ea072e9fe786cb914071d10fa048e61a144546a4f9",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T06:53:21Z",
            "import_time": "2026-05-12T07:28:47.739372881Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / paypal-payouts-bridge

Package

Name: paypal-payouts-bridge; View open source insights on deps.dev
Purl: pkg:npm/paypal-payouts-bridge

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/paypal-payouts-bridge/MAL-2026-3323.json"