MAL-2026-3653
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@design-system-coopeuch/web/MAL-2026-3653.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3653
- Published
- 2026-05-13T02:46:17Z
- Modified
- 2026-05-15T07:52:17.599724Z
- Summary
- Malicious code in @design-system-coopeuch/web (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233)
Package
@design-system-coopeuch/web@999.0.4is a dependency-confusion squat of an internal-looking scope, published at an inflated 999.x version to override any private registry copy.package.jsondeclares apreinstallhook that runscb.js, which collects installer host identifiers (os.hostname(), cwd, install directory,id,uname -a, OS release info, and the full list ofprocess.envkey names) and POSTs them as JSON over cleartext HTTP to a hardcoded bare IP,http://157.173.126.113:8443/dep-confusion(cb.js line 20:hostname: "157.173.126.113", port: 8443, path: "/dep-confusion", method: "POST"). The beacon fires automatically onnpm installwithout user consent. Although the package description self-labels as an "authorized bug bounty PoC," any unintended installer has their host fingerprint exfiltrated to an attacker-controlled endpoint. The combination of internal-scope impersonation, inflated version, and install-time beacon to a bare IP is the canonical dependency-confusion attack shape.Source: ossf-package-analysis (e91609499d64cf31c94ddc3047d4c189c64e8e5f09c3da98cb3fec5c05978823)
The OpenSSF Package Analysis project identified '@design-system-coopeuch/web' @ 999.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "e91609499d64cf31c94ddc3047d4c189c64e8e5f09c3da98cb3fec5c05978823", "import_time": "2026-05-13T09:07:58.812691011Z", "source": "ossf-package-analysis", "modified_time": "2026-05-13T02:46:17Z", "versions": [ "999.0.0" ] }, { "sha256": "a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233", "id": "IN-MAL-2026-002780", "source": "amazon-inspector", "modified_time": "2026-05-14T21:28:49Z", "versions": [ "999.0.4" ], "import_time": "2026-05-15T07:37:19.848171132Z" }, { "sha256": "a9cb49ff96b31bfe45dc71bbdb2da10deebbce669349ee716dc54ca2bc5730e6", "id": "IN-MAL-2026-002778", "source": "amazon-inspector", "modified_time": "2026-05-14T21:07:29Z", "versions": [ "999.0.0" ], "import_time": "2026-05-15T07:37:19.664320794Z" }, { "sha256": "c6a5d517f4c553ff117601cad9013ed774327d5054716118f863158b963f4098", "id": "IN-MAL-2026-002748", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:43Z", "versions": [ "999.0.0" ], "import_time": "2026-05-15T07:37:18.776464529Z" }, { "sha256": "4490514d2a58551410f3fba0ab3425151aab2ec7bdf0490cbd64629032c839eb", "id": "IN-MAL-2026-002749", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:44Z", "versions": [ "999.0.4" ], "import_time": "2026-05-15T07:37:18.854288051Z" }, { "sha256": "9f2dd3bd8d9cb5f43df394f4fd5b3e7673db125dca15b969d6d115cd3f255bca", "id": "IN-MAL-2026-002779", "source": "amazon-inspector", "modified_time": "2026-05-14T21:09:00Z", "versions": [ "999.0.0" ], "import_time": "2026-05-15T07:37:19.708610392Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @design-system-coopeuch/web
Package
- Name
- @design-system-coopeuch/web
- View open source insights on deps.dev
- Purl
- pkg:npm/%40design-system-coopeuch/web
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@design-system-coopeuch/web/MAL-2026-3653.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "e0a192b06e2e1f7fe414a639db042f1cc36e0553438d862960d58c45d351383a",
"tlsh": "390175f0b3d9abf035e571a0b0f20400f2a3c8697207b4d057c405f566ce57840322dd",
"path": "cb.js"
},
{
"sha256": "fff99c4797738dbb4fc2967a1d5f2a70444ffceab004b5497e6be5fb4be06da9",
"tlsh": "c3d0973a0904a43320c807e014744001e260dc2f0100de288bc30068c22a7b3437bb0e",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "web-999.0.4.tgz",
"hashes": {
"sha1": "c22ac630a1390f8b178093865b23e858737a29d2",
"sha512_sri": "sha512-iMZekSgCa3lCdCzXHw79aDx0QnM5JKARpeVoHRx96rqCM5c7rkb82NyyCvy+QYNj5MYFeGDnFFGjPFykzhgxgA=="
}
}
]
}