MAL-2026-4185
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uolcs-host-uol-anuncios-fe/MAL-2026-4185.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4185
- Published
- 2026-05-20T16:06:01Z
- Modified
- 2026-05-26T06:03:00.620408646Z
- Summary
- Malicious code in uolcs-host-uol-anuncios-fe (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (16d9407c815fe2d5593da029ee806d455d15f451d1c84d3cd8d6a0a027821d64)
Package claims an internal-scope corporate name (
uolcs-host-uol-anuncios-fe) on public npm, version-pinned to 99.99.99 — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name in a target organization's CI. Bothpreinstallandpostinstallhooks in package.json invokenode./callback.js, which readsos.hostname()andos.platform(), embeds them as a subdomain label (uolci-<hostname>-<platform>.d86r3dv5vn81lvohffp0131g8kdx9mz3c.oast.pro), and issues a DNS A lookup. The destinationoast.prois the interactsh out-of-band interaction listener; the DNS query itself is the exfiltration channel, capturing the installer's hostname and OS at the listener owned by whoever controls that token. The README's claim of authorized research is not verifiable from package contents and does not change the installer-side effect: any CI host or developer machine that resolves this name from public npm leaks identity to a third party onnpm install.Source: ossf-package-analysis (460c859985a6f675c559fa18b353ab35f370e5f1f60c9da53275358a1fdbaa29)
The OpenSSF Package Analysis project identified 'uolcs-host-uol-anuncios-fe' @ 99.99.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-20T16:06:01Z", "versions": [ "99.99.99" ], "sha256": "460c859985a6f675c559fa18b353ab35f370e5f1f60c9da53275358a1fdbaa29", "source": "ossf-package-analysis", "import_time": "2026-05-20T17:09:24.656933892Z" }, { "import_time": "2026-05-26T05:51:02.113855996Z", "versions": [ "99.99.99" ], "sha256": "16d9407c815fe2d5593da029ee806d455d15f451d1c84d3cd8d6a0a027821d64", "id": "IN-MAL-2026-003648", "source": "amazon-inspector", "modified_time": "2026-05-20T23:01:10Z" }, { "modified_time": "2026-05-20T23:01:11Z", "versions": [ "99.99.99" ], "sha256": "e68507a976e11c8ed1ed5ff82bbb1f322f86fd89b7700c8ffc05207bc72266db", "id": "IN-MAL-2026-003649", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:02.479612112Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / uolcs-host-uol-anuncios-fe
Package
- Name
- uolcs-host-uol-anuncios-fe
- View open source insights on deps.dev
- Purl
- pkg:npm/uolcs-host-uol-anuncios-fe
Database specific
indicators
{
"domains": [
"uolci-scan-cd1e5927b0c3-linux.d86r3dv5vn81lvohffp0131g8kdx9mz3c.oast.pro"
],
"evidence_files": [
{
"sha256": "bb502812684c6ae5ad7753b8e539b45f4ffeb0af7d58337f621a9f12756a041c",
"tlsh": "ef012034ca0a4d231ce066a324187987f411cd0709183c1637c3014c5f1da7702bf29e",
"path": "package.json"
},
{
"sha256": "9995eda9986246d14944e74196fde1f8c5ce9568721eb9cff63795ec59c456cd",
"tlsh": "d051754526e922301fa150929ccc26c2672fd729526ef990a54d479c428677063577bf",
"path": "callback.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-r/dOYxLrsPWRgErwx4lpP24dkex6fTTdKNKvUetVPH0iPz7WwlsHu/Vz0yAEcy/Zfw2F7oVPA/0FeiIKtTX+lw==",
"sha1": "4b3426ce48b114b221171e8fc17641508bd7067a"
},
"filename": "uolcs-host-uol-anuncios-fe-99.99.99.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uolcs-host-uol-anuncios-fe/MAL-2026-4185.json"