MAL-2026-3724
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@convera/ui-shared/MAL-2026-3724.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3724
- Published
- 2026-05-14T08:44:28Z
- Modified
- 2026-05-15T07:52:10.159530Z
- Summary
- Malicious code in @convera/ui-shared (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3fa0960816c1204042cecc61c5337e5db2c1407f5325cfc2ed26e43b5dc054d0)
On
npm install, the package'spreinstall.jscollectsos.hostname()andos.userInfo().usernameand sends them as query parameters (/?hn=<hostname>&un=<username>) viahttps.requesttoam0f14nl6o1nqwrngbrq33amfdl496xv.oastify.com, a Burp Collaborator subdomain. The package ships an emptyindex.js(module.exports = {}) and apackage.jsondescription identifying itself as a 'bug-bounty research placeholder — Convera', published under the@convera/*scope to match a private internal namespace. Any installer who resolves this name (accidental scope resolution, misconfigured registry, or a legitimate Convera dev pulling the public registry version) silently leaks host identifiers to a third-party Collaborator endpoint with no opt-in and no functional code in return. Regardless of the author's stated research intent, this is unauthorized data collection from every installer and a dependency-confusion attack surface against the Convera organization.Source: ossf-package-analysis (647502d33492bf942a8b0bd468f7420ebca797820c7a47ac74c238c35ae08bff)
The OpenSSF Package Analysis project identified '@convera/ui-shared' @ 0.0.2 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "647502d33492bf942a8b0bd468f7420ebca797820c7a47ac74c238c35ae08bff", "source": "ossf-package-analysis", "modified_time": "2026-05-14T08:44:28Z", "import_time": "2026-05-14T09:02:19.439009719Z", "versions": [ "0.0.2" ] }, { "sha256": "271ce9a862ed30273cb6240b1332324bdfcff1d46c231cd197b94105aa8cf96f", "source": "amazon-inspector", "modified_time": "2026-05-14T19:46:56Z", "id": "IN-MAL-2026-002775", "import_time": "2026-05-15T07:37:19.580889406Z", "versions": [ "0.0.2" ] }, { "sha256": "3fa0960816c1204042cecc61c5337e5db2c1407f5325cfc2ed26e43b5dc054d0", "source": "amazon-inspector", "modified_time": "2026-05-14T19:47:10Z", "id": "IN-MAL-2026-002776", "import_time": "2026-05-15T07:37:19.624369476Z", "versions": [ "0.0.3" ] }, { "sha256": "4b8662e0a23d1d0110e235efc29c0716b04716640dc11185ecf727447c699667", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:26Z", "id": "IN-MAL-2026-002725", "import_time": "2026-05-15T07:37:18.262636197Z", "versions": [ "0.0.3" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @convera/ui-shared
Package
- Name
- @convera/ui-shared
- View open source insights on deps.dev
- Purl
- pkg:npm/%40convera/ui-shared
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@convera/ui-shared/MAL-2026-3724.json"
indicators
{
"package_integrity": [
{
"filename": "ui-shared-0.0.2.tgz",
"hashes": {
"sha1": "b6243c476f0d789ffe7b513d72d4d5e9b0452a1d",
"sha512_sri": "sha512-7Nd+7Mv4kO2W6ZU240aucmdmMjoxbOsSvuSYn81k5KYYJ+8ciucpehYcy+kHaztaNp+S9aFG3GEwM8GYpCWFHw=="
}
}
],
"evidence_files": [
{
"path": "preinstall.js",
"tlsh": "7cf0d47d12e0d230232110c4081b15216dabf65152c6c8c4931d06d8cdf21f57b53dbe",
"sha256": "f9c27070dd0c05c2738a5cb17b55f70600c1cdae8c407b84a9b48c7a277ddba8"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]