MAL-2026-3684
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gusmano/reext/MAL-2026-3684.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3684
- Published
- 2026-05-12T21:23:01Z
- Modified
- 2026-05-13T20:22:37.637033Z
- Summary
- Malicious code in @gusmano/reext (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8)
The npm preinstall lifecycle script (dist/scripts/preinstall.js, wired via package.json "preinstall": "node./dist/scripts/preinstall.js") reads the installer's ~/.gitconfig via iniparser.parseSync(homedir+'/.gitconfig') and the OS username via os.userInfo().username, then issues an HTTPS GET to the hardcoded endpoint https://2tak.l.serverhost.name:1962/mobile/reext with osname, gitname, and gitemail supplied as query parameters. The code explicitly branches on
if (osname === 'xmarcgusmano') { server = 'http://localhost:1962' } else { server = 'https://2tak.l.serverhost.name:1962' }, confirming that the remote-host path fires for every installer that is not the author's own machine — a deliberate exfiltration path gated by the author's own username. The destination is not a documented vendor endpoint; it is an author-controlled third-party host the installer did not opt into. Separately, dist/scripts/postinstall.js resolvespath.resolve(__dirname, '../../package.json')(the consuming project's own package.json relative to nodemodules/@gusmano/reext/dist/scripts/) and rewrites it, deleting scripts.dev/build/test/watch/coverage, the entirescriptskey,eslintConfig,devDependencies, anddependencies, then rm -rf's several dist subfolders — destructive, unauthorized mutation of the installer's project files. The combination (silent install-time exfiltration of personal identity data to an author-controlled host plus destructive rewrite of the consumer's manifest) is unambiguously harmful to installers. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002614", "import_time": "2026-05-13T20:11:02.649312644Z", "sha256": "054b16cbfefbf8db2833bc11292a221388ea6f846f479accff78585e1f2fa27a", "source": "amazon-inspector", "modified_time": "2026-05-13T03:27:31Z", "versions": [ "0.0.104" ] }, { "id": "IN-MAL-2026-002578", "import_time": "2026-05-13T20:11:00.61484503Z", "sha256": "3f9749ef494686a44f85606ca4b3f074373275808013fe9e59f1797bcca9b0fe", "source": "amazon-inspector", "modified_time": "2026-05-12T23:03:17Z", "versions": [ "0.0.166" ] }, { "id": "IN-MAL-2026-002590", "import_time": "2026-05-13T20:11:01.576700937Z", "sha256": "4e84657e6ccdec00cd4972691de05d04081c98b7e7734ff7b94688059e9ea502", "source": "amazon-inspector", "modified_time": "2026-05-13T00:47:34Z", "versions": [ "0.0.216" ] }, { "id": "IN-MAL-2026-002567", "import_time": "2026-05-13T20:10:59.934468325Z", "sha256": "4f0ba19a2a776ef66ddeb23ebec68f2d5adfc1ea203f8be9fa14dfdd9906099f", "source": "amazon-inspector", "modified_time": "2026-05-12T21:23:50Z", "versions": [ "0.0.150" ] }, { "id": "IN-MAL-2026-002577", "import_time": "2026-05-13T20:11:00.520552294Z", "sha256": "95b6cc3a3852fd4256b505e0f495070b12c74c2845ddb074ca10c2f976780783", "source": "amazon-inspector", "modified_time": "2026-05-12T23:03:02Z", "versions": [ "0.0.148" ] }, { "id": "IN-MAL-2026-002595", "import_time": "2026-05-13T20:11:01.918777077Z", "sha256": "2d48ef0582a31947906fbeaa4735eae0d3fb69cab51e118f28fc293c3fe2aafe", "source": "amazon-inspector", "modified_time": "2026-05-13T01:14:42Z", "versions": [ "0.0.218" ] }, { "id": "IN-MAL-2026-002571", "import_time": "2026-05-13T20:11:00.118329974Z", "sha256": "3c1869cfa68f4b777e7d2a65a1c002bbe6b69fd157dbec48f2c0c8244403b8f9", "source": "amazon-inspector", "modified_time": "2026-05-12T21:58:26Z", "versions": [ "0.0.197" ] }, { "id": "IN-MAL-2026-002593", "import_time": "2026-05-13T20:11:01.82913543Z", "sha256": "69da331d08f2262e165c6f05b979bf5862d21877627b226ce3018c30b312f4b7", "source": "amazon-inspector", "modified_time": "2026-05-13T01:07:12Z", "versions": [ "0.0.276" ] }, { "id": "IN-MAL-2026-002580", "import_time": "2026-05-13T20:11:00.811403722Z", "sha256": "7225ee364b6bf2e68d8f94df0f0fb8ff3212495a1f86a81cd95036add33b1297", "source": "amazon-inspector", "modified_time": "2026-05-12T23:11:12Z", "versions": [ "0.0.92" ] }, { "id": "IN-MAL-2026-002574", "import_time": "2026-05-13T20:11:00.274678051Z", "sha256": "8a5af26cfe6ec2086ff01bcd884e78204e9ebe556ab1149a276e4788f2e16b30", "source": "amazon-inspector", "modified_time": "2026-05-12T22:10:21Z", "versions": [ "0.0.98" ] }, { "id": "IN-MAL-2026-002581", "import_time": "2026-05-13T20:11:00.899644618Z", "sha256": "25cb2d1c27f93198a0c22c0d91516b40bdf72db5b27d7684fb693a1adf1b6d52", "source": "amazon-inspector", "modified_time": "2026-05-12T23:16:22Z", "versions": [ "0.0.317" ] }, { "id": "IN-MAL-2026-002565", "import_time": "2026-05-13T20:10:59.830462978Z", "sha256": "41da396e871fb4898617c8ee8c9862016e8327d344aa9ca92286cd08613960ed", "source": "amazon-inspector", "modified_time": "2026-05-12T21:23:01Z", "versions": [ "0.0.169" ] }, { "id": "IN-MAL-2026-002584", "import_time": "2026-05-13T20:11:01.176429145Z", "sha256": "5eb7e3818b728594ca78e7ee60ebbc307a572c55e2edc1736f3098b0bbe7858f", "source": "amazon-inspector", "modified_time": "2026-05-13T00:18:09Z", "versions": [ "0.0.209" ] }, { "id": "IN-MAL-2026-002592", "import_time": "2026-05-13T20:11:01.770816091Z", "sha256": "87c1df2138a5b8fc918fd76b3b12da6f03ad345b480fe582f03005a7511ff4fa", "source": "amazon-inspector", "modified_time": "2026-05-13T01:05:07Z", "versions": [ "0.0.250" ] }, { "id": "IN-MAL-2026-002579", "import_time": "2026-05-13T20:11:00.714856167Z", "sha256": "a7634086135630c5a74eb9c337cae198a015db1f42136a87f900fc3c8f2f4824", "source": "amazon-inspector", "modified_time": "2026-05-12T23:10:54Z", "versions": [ "0.0.236" ] }, { "id": "IN-MAL-2026-002569", "import_time": "2026-05-13T20:11:00.020406465Z", "sha256": "d565c09d7b68f3745a1c0545035718c847f53dd80f56a27f3074f97e8b65f9e9", "source": "amazon-inspector", "modified_time": "2026-05-12T21:29:49Z", "versions": [ "0.0.121" ] }, { "id": "IN-MAL-2026-002596", "import_time": "2026-05-13T20:11:02.034587925Z", "sha256": "903527699f939e76923ea5d5489cd0665e503d34875c63f0baa2d202f3c3998e", "source": "amazon-inspector", "modified_time": "2026-05-13T01:14:57Z", "versions": [ "0.0.198" ] }, { "id": "IN-MAL-2026-002588", "import_time": "2026-05-13T20:11:01.402497285Z", "sha256": "963bc7a7692aaa83951959252a82fbecd043a194a3c12444d625c7620ac36469", "source": "amazon-inspector", "modified_time": "2026-05-13T00:46:38Z", "versions": [ "0.0.128" ] }, { "id": "IN-MAL-2026-002599", "import_time": "2026-05-13T20:11:02.161399496Z", "sha256": "d8b09993dd148c1c48224b04bb240ae823586dad7e365ef187e9c33f9882cfe5", "source": "amazon-inspector", "modified_time": "2026-05-13T01:23:26Z", "versions": [ "0.0.190" ] }, { "id": "IN-MAL-2026-002609", "import_time": "2026-05-13T20:11:02.267861091Z", "sha256": "98f647eef993d1ceac73629adfc39a5689b98f0161c8c3f6019cff9272e553b6", "source": "amazon-inspector", "modified_time": "2026-05-13T03:16:29Z", "versions": [ "0.0.352" ] }, { "id": "IN-MAL-2026-002583", "import_time": "2026-05-13T20:11:01.119063779Z", "sha256": "bfcc3256d46cea7ccc02dbc0e50a9015c0940e2d22086de24264028d99b14a99", "source": "amazon-inspector", "modified_time": "2026-05-13T00:02:31Z", "versions": [ "0.0.223" ] }, { "id": "IN-MAL-2026-002591", "import_time": "2026-05-13T20:11:01.633507992Z", "sha256": "e6b616cdc46faca34ffe75e19ffdc3bbc2833a2e53c836f160cd6d5ec8bfcef5", "source": "amazon-inspector", "modified_time": "2026-05-13T01:01:44Z", "versions": [ "0.0.261" ] }, { "id": "IN-MAL-2026-002573", "import_time": "2026-05-13T20:11:00.198406181Z", "sha256": "1763e928ff0b87df04094d5bca515f3f2ec8463995334b4110e3e1f73853faff", "source": "amazon-inspector", "modified_time": "2026-05-12T22:06:56Z", "versions": [ "0.0.315" ] }, { "id": "IN-MAL-2026-002616", "import_time": "2026-05-13T20:11:02.725217798Z", "sha256": "9a642c1aa5d84d03416e8c3843b240ba0571769a46a0a31a92d608d2f23e28a2", "source": "amazon-inspector", "modified_time": "2026-05-13T03:56:54Z", "versions": [ "0.0.235" ] }, { "id": "IN-MAL-2026-002570", "import_time": "2026-05-13T20:11:00.069327192Z", "sha256": "ab27a2a93e92f11d66bff9eef79afedc03b4ead3c918ada268ded094776c373b", "source": "amazon-inspector", "modified_time": "2026-05-12T21:53:38Z", "versions": [ "0.0.251" ] }, { "id": "IN-MAL-2026-002586", "import_time": "2026-05-13T20:11:01.325738467Z", "sha256": "f8acda3286b967516c42f496d9ee65e9ec1a516fc6a4b3d39229f7af55c85093", "source": "amazon-inspector", "modified_time": "2026-05-13T00:35:16Z", "versions": [ "0.0.473" ] }, { "id": "IN-MAL-2026-002610", "import_time": "2026-05-13T20:11:02.321459056Z", "sha256": "14ec79ee9c39e64f5d26977a7c08fe71a46f3c1b67ce5c6e06fc4c1202f269cb", "source": "amazon-inspector", "modified_time": "2026-05-13T03:19:25Z", "versions": [ "0.0.358" ] }, { "id": "IN-MAL-2026-002601", "import_time": "2026-05-13T20:11:02.223874766Z", "sha256": "1ec70d753468edf1751ee01595c8a053c8d5dfc472480e3aa0c74384e025b830", "source": "amazon-inspector", "modified_time": "2026-05-13T01:39:51Z", "versions": [ "0.0.188" ] }, { "id": "IN-MAL-2026-002589", "import_time": "2026-05-13T20:11:01.480974783Z", "sha256": "28ab5771dc3ec13fc89f470d11d113f060102a6013ad8efd88a7e4e3474b6b61", "source": "amazon-inspector", "modified_time": "2026-05-13T00:47:17Z", "versions": [ "0.0.390" ] }, { "id": "IN-MAL-2026-002582", "import_time": "2026-05-13T20:11:01.043710343Z", "sha256": "498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8", "source": "amazon-inspector", "modified_time": "2026-05-12T23:40:45Z", "versions": [ "0.0.237" ] }, { "id": "IN-MAL-2026-002575", "import_time": "2026-05-13T20:11:00.468326542Z", "sha256": "93dad7200065f05081e2a92304855d3363c2b589a5c7957b7e6a361d527992de", "source": "amazon-inspector", "modified_time": "2026-05-12T22:10:29Z", "versions": [ "0.0.255" ] }, { "id": "IN-MAL-2026-002613", "import_time": "2026-05-13T20:11:02.530248993Z", "sha256": "0eeb28e0cfbeccaea95b07a1c2f192257c44bb8f851fcba9de2c9a8f1286acdf", "source": "amazon-inspector", "modified_time": "2026-05-13T03:24:49Z", "versions": [ "0.0.222" ] }, { "id": "IN-MAL-2026-002597", "import_time": "2026-05-13T20:11:02.117381601Z", "sha256": "2ab4ef352a13242ba01ac7d9d9b5f81af97ec18c9c97026bd9f7b20f743d4c9e", "source": "amazon-inspector", "modified_time": "2026-05-13T01:19:08Z", "versions": [ "0.0.324" ] }, { "id": "IN-MAL-2026-002566", "import_time": "2026-05-13T20:10:59.876603628Z", "sha256": "2abe8240ad32db3f0f17d2d4bbeaec396bdc6dc540a0da1af69aa0dc62f16fcc", "source": "amazon-inspector", "modified_time": "2026-05-12T21:23:02Z", "versions": [ "0.0.346" ] } ] }- References
-
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.104
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.166
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.216
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.150
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.148
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.218
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.197
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.276
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.92
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.98
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.317
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.169
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.209
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.250
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.236
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.121
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.198
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.128
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.190
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.352
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.223
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.261
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.315
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.235
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.251
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.473
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.358
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.188
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.390
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.237
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.255
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.222
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.324
- https://www.npmjs.com/package/@gusmano/reext/v/0.0.346
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @gusmano/reext
Package
- Name
- @gusmano/reext
- View open source insights on deps.dev
- Purl
- pkg:npm/%40gusmano/reext
Affected versions
0.*
0.0.92
0.0.98
0.0.104
0.0.121
0.0.128
0.0.148
0.0.150
0.0.166
0.0.169
0.0.188
0.0.190
0.0.197
0.0.198
0.0.209
0.0.216
0.0.218
0.0.222
0.0.223
0.0.235
0.0.236
0.0.237
0.0.250
0.0.251
0.0.255
0.0.261
0.0.276
0.0.315
0.0.317
0.0.324
0.0.346
0.0.352
0.0.358
0.0.390
0.0.473
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "dist/preinstall.js",
"sha256": "4241f7ad5530ea5781128d0fb5a0bf4acbfd80eb045672850baa9f36b2036e75",
"tlsh": "0f91c2458efc843b25677e48980e24173ea1bf21a3a9e714721d935b6be0d24d0636ff"
},
{
"path": "dist/postinstall.js",
"sha256": "7dcc13f4ed548a976beafc70a07696f7bbd2a7261ad7ef1f98b77ee32026c812",
"tlsh": "0dd0a7151ed8633828940ed75c23000aa887c9007334b950809c4297138ad848a534f7"
}
],
"package_integrity": [
{
"filename": "reext-0.0.104.tgz",
"hashes": {
"sha512_sri": "sha512-fSjnTk+S+nUF8PznFYubjV37zWw4tYUDsqu0aVw00ugp72Oc/UH+aYGcZLaC7Zb+UVOXGV2nU4D9sL1VqYUbAQ==",
"sha1": "8ff187952cdf3f3870efdc4b46265d823c527e2e"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gusmano/reext/MAL-2026-3684.json"