MAL-2026-4193

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/private-next-pages/MAL-2026-4193.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4193
Published
2026-05-20T18:14:49Z
Modified
2026-05-26T06:02:39.612313135Z
Summary
Malicious code in private-next-pages (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (00c6505c70734328f859fa758ad45ba680403a4cfeedd60d2f9e035b026bd45c)

package.json declares a postinstall script that uses Node's child_process to execute reconnaissance commands (including whoami) and beacon results out via HTTPS. The script contacts https://api.ipify.org to resolve the installer's public IP, reads process.env, and sends data to an .oast.fun host — the Project Discovery interact.sh out-of-band testing service used as a generic exfiltration sink. On npm install, this fires automatically and leaks host identity, network egress IP, and environment variables to an attacker-controlled collector. There is no legitimate reason for a Next.js page utility package to perform host fingerprinting or beacon to an OOB interaction service at install time.

Source: ossf-package-analysis (ff710fe6d7fd45d98e33a811da127f892b543f920fe244e16f56e71db66c3ebf)

The OpenSSF Package Analysis project identified 'private-next-pages' @ 9.0.5 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T18:14:49Z",
            "versions": [
                "9.0.5"
            ],
            "sha256": "ff710fe6d7fd45d98e33a811da127f892b543f920fe244e16f56e71db66c3ebf",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-20T18:18:23.063948299Z"
        },
        {
            "modified_time": "2026-05-20T23:51:16Z",
            "versions": [
                "9.0.5"
            ],
            "sha256": "00c6505c70734328f859fa758ad45ba680403a4cfeedd60d2f9e035b026bd45c",
            "id": "IN-MAL-2026-003650",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:02.606227244Z"
        },
        {
            "import_time": "2026-05-26T05:51:02.727832173Z",
            "versions": [
                "9.0.5"
            ],
            "sha256": "7bb63ecb31a75e0d7668aad050547f7c02319ad7f241a2a1df244a55330337f5",
            "id": "IN-MAL-2026-003651",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T23:51:16Z"
        }
    ]
}
References
Credits

Affected packages

npm / private-next-pages

Package

Name
private-next-pages
View open source insights on deps.dev
Purl
pkg:npm/private-next-pages

Affected ranges

Affected versions

9.*
9.0.5

Database specific

indicators 
{
    "evidence_files": [
        {
            "sha256": "91fd93f8b0aa352c33d393c6b7592dd78ef9d62eca453bcb44cfe8f39fdd0ca3",
            "tlsh": "781165e099c0e6b9e3d147f4b907d506f933eb1a62105cb0b96c16829b441b052abfdc",
            "path": "package.json"
        }
    ],
    "domains": [
        "api.ipify.org",
        "lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-9J8R+yct4SeOv6S1NQSIW4bg0Ui19s9CuKrcQpc7ZbannbGqobVOtSEFafiXxeviJ2vI/9ZfQ0a2z4e28RTQlw==",
                "sha1": "85d2bd4109543aee679959487cf8de32d7950a73"
            },
            "filename": "private-next-pages-9.0.5.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/private-next-pages/MAL-2026-4193.json"