MAL-2026-4258

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@engagehub/core/MAL-2026-4258.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4258

Published

2026-05-22T20:02:41Z

Modified

2026-05-26T06:01:48.310071788Z

Summary

Malicious code in @engagehub/core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094)

All three lifecycle hooks (preinstall, install, postinstall) in package.json invoke node telemetry.js, so the payload fires unconditionally on npm install. telemetry.js gathers host context (OS, arch, Node version, pid) and CI-provider fingerprints by reading GITHUBACTIONS, AZUREDEVOPS, and JENKINS_HOME, hex-encodes a JSON blob, and exfiltrates it as chunked dns.lookup() queries whose subdomain labels carry the encoded data. The destination is built via string concatenation to evade scanners: "d82atu5fokal0459"+"5n00qkgj7qiyixx7a"+"."+"oa"+"st"+"."+"li"+"ve", resolving to a token under oast.live — an out-of-band interaction (interactsh) service commonly used by attackers as a covert DNS C2/exfil channel. The package additionally impersonates Microsoft (false Copyright (c) Microsoft Corporation header, fabricated github.com/microsoft/core repository URL, references to a nonexistent engdocs.microsoft.com docs site) under an UNLICENSED license to lend credibility to the dropper. Installing this package on a developer workstation or CI runner leaks host and CI-environment fingerprints to attacker-controlled infrastructure and confirms the package is reachable for follow-on targeting.

Source: ossf-package-analysis (326b05b76110daa7a72638fd81d726fb2ccb229f93e203e07aa236639b9120fa)

The OpenSSF Package Analysis project identified '@engagehub/core' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "326b05b76110daa7a72638fd81d726fb2ccb229f93e203e07aa236639b9120fa",
            "import_time": "2026-05-22T20:36:48.234267082Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-22T20:05:56Z",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "sha256": "00d2aa8784139f3335dd28e4b761b1f90459d3ff18f4e531d1f26287b05510be",
            "id": "IN-MAL-2026-004252",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T20:02:42Z",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-05-26T05:52:14.414325182Z"
        },
        {
            "sha256": "bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094",
            "import_time": "2026-05-26T05:52:14.314767657Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T20:02:41Z",
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-004251"
        }
    ]
}

References

https://www.npmjs.com/package/@engagehub/core/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / @engagehub/core

Package

Name: @engagehub/core; View open source insights on deps.dev
Purl: pkg:npm/%40engagehub%2Fcore

Affected ranges

Affected versions

99.*

99.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@engagehub/core/MAL-2026-4258.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "k.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p1.227473223a313737393438303134313031312c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p4.77645f68617368223a302c22706964223a33347d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "c.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p2.6c696e7578222c2261726368223a22783634222c2272756e74.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p1.227473223a313737393438303134323530352c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p4.77645f68617368223a302c22706964223a34357d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p0.7b22736368656d61223a312c22626964223a2230303133222c.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p1.227473223a313737393438303133383039322c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p3.696d65223a227631382e32302e38222c226369223a302c2263.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live",
        "p4.77645f68617368223a302c22706964223a32337d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live"
    ],
    "evidence_files": [
        {
            "tlsh": "1851c65a6ee820281a62e0b8b51f5503f37993331b24f955e08fc3645fe75b851bcae2",
            "sha256": "61c869a8ad4b842d6c5df56f9fe0d06286fb14a4d075dce87d5a8b6651dc221a",
            "path": "telemetry.js"
        },
        {
            "tlsh": "0a014228de280d272dd12aa299730181a3350d2b09043c083fc2021c8bcea6f52ff32d",
            "sha256": "21b71d8e400486993e1e437aabfc449c342bd90e7cbac74e9c50546b552981a3",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "core-99.0.0.tgz",
            "hashes": {
                "sha1": "294235300cccbb57558786500483d81984daf729",
                "sha512_sri": "sha512-UlqAfzQ9kUkpBMMKlyd9OPeRBuBBDxizwrZQ6oB8n2fAB+adcGx7HBzwvKdhWnbh6szEfGwb2o6MraRw5QIpwA=="
            }
        }
    ]
}