MAL-2026-3748
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pelmnaads/naads-common-logger/MAL-2026-3748.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3748
- Published
- 2026-05-14T19:25:51Z
- Modified
- 2026-05-15T07:52:27.205665Z
- Summary
- Malicious code in @pelmnaads/naads-common-logger (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (68990dfacdc750bf464d646aca4855c2dd23bbefcadef1d9638e2d663a23fc57)
The package is published to the public npm registry under
@pelmnaads/naads-common-loggerwith version19999.0.1— the canonical dependency-confusion pattern, where an abnormally high version is used to make npm's resolver prefer this public package over a private internal package of the same name. Onnpm install, apreinstalllifecycle script (preinstall.js:5-9) makes an HTTPS GET toh5nvwrz2815ubw84cpkwhezm5db9z1nq.b.mburpcollab.comwith query parameterspackage=<npm_package_name>&hostname=<os.hostname()>, transmitting the installer's hostname off-host to a Burp Collaborator out-of-band interaction endpoint. The README states this is an authorized security test, but the code path and effect on an unsuspecting installer are identical to a hostile dependency-confusion attack: build hosts silently disclose their identity to a third-party domain duringnpm install, with no opt-in. Any build system that resolves this package (e.g., an internal Pelmorex pipeline expecting the private@pelmnaads/naads-common-logger) would leak hostname data. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002766", "import_time": "2026-05-15T07:37:19.454275828Z", "sha256": "2f25d490deb5c32e9675f7941c54e8e9c9c1c180adaf00de19e4bb2a10325c47", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:53Z", "versions": [ "19999.0.1" ] }, { "id": "IN-MAL-2026-002763", "import_time": "2026-05-15T07:37:19.409978984Z", "sha256": "68990dfacdc750bf464d646aca4855c2dd23bbefcadef1d9638e2d663a23fc57", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:51Z", "versions": [ "19999.0.1" ] }, { "id": "IN-MAL-2026-002786", "import_time": "2026-05-15T07:37:19.946869887Z", "sha256": "8e4fd2828e3ff35aa485baef1b289b8faa19386e1c5199cbddb213b844a57733", "source": "amazon-inspector", "modified_time": "2026-05-15T00:04:56Z", "versions": [ "19999.0.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @pelmnaads/naads-common-logger
Package
- Name
- @pelmnaads/naads-common-logger
- View open source insights on deps.dev
- Purl
- pkg:npm/%40pelmnaads/naads-common-logger
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "preinstall.js",
"sha256": "f953effaba2900cece999a0e4f06d5eb4ac614e490856715c678213d2cec8a6b",
"tlsh": "13e0f1f50171d72057f023c4e08ca50a1423d213748e59b0bacd13e29f854b86a96cf0"
},
{
"path": "package.json",
"sha256": "11f68af131ee9e697e4a07518447cc623810a3c8e314473f24a87745df66b91d",
"tlsh": "80d022754c45da322ac803c2243f720921a9cbaa6000092c9adb700be381263082b148"
}
],
"package_integrity": [
{
"filename": "naads-common-logger-19999.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-FzJ2y8GAG3og3Mggld5FreQatbt2KLubLqlCuQ68lKnbAIqo4lMr5kug5uHwNiAL/aN3nbAtPQihpl8z0EmR+g==",
"sha1": "beaf5d70084a3c99d3c125103ce3d27e9e553486"
}
}
],
"domains": [
"h5nvwrz2815ubw84cpkwhezm5db9z1nq.b.mburpcollab.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pelmnaads/naads-common-logger/MAL-2026-3748.json"