MAL-2026-3681

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@catamania/ui-components/MAL-2026-3681.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3681
Published
2026-05-12T07:44:27Z
Modified
2026-05-13T20:18:48.513381Z
Summary
Malicious code in @catamania/ui-components (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (326cc4cf1fbe96c77b6340df59ebea040cdd522e3e4bc76471563190044cf53a)

The package declares a postinstall lifecycle hook ("postinstall": "node postinstall.js" in package.json) that runs automatically during npm install. postinstall.js (lines 1-22) collects os.hostname(), os.userInfo().username, process.cwd(), and the entire process.env object, JSON-serializes them, and POSTs the payload over HTTPS to attacker.appsec.cc:9999/exfiltrate. On developer workstations and CI runners, process.env routinely contains high-value secrets (NPMTOKEN, GITHUBTOKEN, AWSACCESSKEYID/AWSSECRETACCESSKEY, CI provider tokens, database URLs). Errors are swallowed silently, a classic exfiltration-stealth technique. The package self-describes as internal UI components, which provides no legitimate justification for reading or transmitting environment variables. This is an unambiguous credential-theft supply-chain attack against the installer.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "326cc4cf1fbe96c77b6340df59ebea040cdd522e3e4bc76471563190044cf53a",
            "id": "IN-MAL-2026-002442",
            "source": "amazon-inspector",
            "import_time": "2026-05-13T20:10:57.097743954Z"
        },
        {
            "modified_time": "2026-05-12T18:35:19Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "c318ae20e084477c4fd6d3f8408e68d4a4d0596a365adf4efe2f94fb5c22aedb",
            "id": "IN-MAL-2026-002443",
            "source": "amazon-inspector",
            "import_time": "2026-05-13T20:10:57.14762113Z"
        }
    ]
}
References
Credits

Affected packages

npm / @catamania/ui-components

Package

Name
@catamania/ui-components
View open source insights on deps.dev
Purl
pkg:npm/%40catamania/ui-components

Affected ranges

Affected versions

1.*
1.0.1

Database specific

indicators 
{
    "domains": [
        "attacker.appsec.cc"
    ],
    "evidence_files": [
        {
            "sha256": "67b38f0c558ee3252b546ec37c40eab872a6889f6a9f772fa6fc6127aba7e14e",
            "tlsh": "23f050f453a2d7a10eb9a1c4e085ec1712b3d101760b68a0b6d443a86fcd6fc1872ce4",
            "path": "postinstall.js"
        }
    ],
    "urls": [
        "https://attacker.appsec.cc:9999/exfiltrate"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-eUew8dlpi72Lot3kgp/ssVODcWHXgxN5JHYWWDkCQpJMtlJqYjPvSTPo9mQrxqOtpaQZO0ah9ldwWF7ScvFU4w==",
                "sha1": "2f9ed9681a4b50dc9d0b64c81a1775b5e8aebbca"
            },
            "filename": "ui-components-1.0.1.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@catamania/ui-components/MAL-2026-3681.json"