MAL-2026-3639

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/briantreehttp/MAL-2026-3639.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3639

Published

2026-05-11T00:00:00Z

Modified

2026-05-13T08:50:49.835570Z

Summary

Malicious code in briantreehttp (npm)

Details

briantreehttp is a typosquatting package impersonating braintreehttp, the HTTP client library published by Braintree/PayPal. The package bundles the legitimate library source to appear functional while hiding a credential-theft payload in index1.js, which is executed at install time via the postinstall script.

The payload collects hostname, platform, architecture, Node.js version, UID, current working directory, all environment variables, AWS credentials (~/.aws/credentials, ~/.aws/config), npm tokens from .npmrc files (root, home, and working directory), Docker config (~/.docker/config.json), git config, .netrc, yarn config, npm global config, directory listings of the working directory, home, filesystem root, and /etc, network configuration files (/etc/resolv.conf, /etc/hosts, /proc/net/route), and AWS ECS/EC2 instance metadata from internal endpoints. All collected data is base64-encoded and exfiltrated via HTTPS POST to reportviewer.click/collect/. A secondary DNS-based exfiltration channel encodes environment variables into a subdomain and issues a request to dns.reportviewer.click.

Database specific

{
    "malicious-packages-origins": null
}

References

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / briantreehttp

Package

Name: briantreehttp; View open source insights on deps.dev
Purl: pkg:npm/briantreehttp

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/briantreehttp/MAL-2026-3639.json"