MAL-2026-4263

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/secdriven/MAL-2026-4263.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4263
Published
2026-05-23T06:25:32Z
Modified
2026-05-26T06:02:53.980130147Z
Summary
Malicious code in secdriven (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e64bd0b65a5cddc6e2032cfdd0a23f06c980a25066490b223d07e1b2e4efe3d8)

On npm install, postinstall.js executes whoami via childprocess and reads os.hostname(), os.platform(), the working directory, and CI / GITHUBREPOSITORY environment variables, then transmits them as query-string parameters in an HTTPS GET to a hardcoded interactsh subdomain (lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com) under the path /google/secdriven/. A DNS lookup using whoami output as a subdomain provides a fallback exfiltration channel. The package description ("Security research canary — Google") and README pointing at a Google CTF internal package.json indicate this is a dependency-confusion payload targeting Google's internal namespace; any installer whose resolver picks up this public name leaks host identity, username, working directory, and CI repository path to the third-party OOB-detection endpoint without consent. Whether published as research or attack, the installer-side effect is the same: unconsented identity-and-environment beacon at install time.

Source: ossf-package-analysis (bafef125d75ec1f8f8b4d9c19e43da29dc8efccecdab347c19a74d1602433535)

The OpenSSF Package Analysis project identified 'secdriven' @ 1.0.8 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "bafef125d75ec1f8f8b4d9c19e43da29dc8efccecdab347c19a74d1602433535",
            "modified_time": "2026-05-23T07:15:46Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-23T07:22:21.103579867Z"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "5accf0a7d5ef749122c408d1b78a4585c663d7218ea42bd276d6e0b14ef04e1b",
            "modified_time": "2026-05-23T06:32:27Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004294",
            "import_time": "2026-05-26T05:52:19.256034723Z"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "5f9fc2c83fd07e30cba7137fce3d4701f5bc1feb9146c396ae939f3acb720643",
            "modified_time": "2026-05-23T06:32:27Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:19.131920626Z",
            "id": "IN-MAL-2026-004293"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "975aa97eecdefbe83b5eab461ef8abe6850de825ce44496cbb351908bc0d51ec",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T06:25:32Z",
            "import_time": "2026-05-26T05:52:18.882063826Z",
            "id": "IN-MAL-2026-004291"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "e64bd0b65a5cddc6e2032cfdd0a23f06c980a25066490b223d07e1b2e4efe3d8",
            "modified_time": "2026-05-23T06:30:38Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:19.014922566Z",
            "id": "IN-MAL-2026-004292"
        }
    ]
}
References
Credits

Affected packages

npm / secdriven

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.7
1.0.8

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "secdriven-1.0.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-sqHArBd2KWVkWHooYwcYg/xnoSGOOJQFi7RMUF9PH4pobZ2A8GlyIiLaPB+YMY2wa8eU0z/pXxTBfiMV5CARhA==",
                "sha1": "ef432b7a76c9c19a9a398a43a8cb7ebc4d63b0f0"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "b45fc29a5ae166c215182f92cd5688d06317cd099779b4694768bd47ce3c59a5",
            "path": "postinstall.js",
            "tlsh": "770120f123f0e6f058e24dc0e62598177167e0103341a9e07dac82696f89a7844b2cec"
        },
        {
            "sha256": "9a108b02a118fce0952636cfd3fe3ed15a326916bfe8777a9685c516fbfec04f",
            "path": "readme.md",
            "tlsh": "e7d022cb32aca7a7ec94efcb6a98d2186b3df810b44220c9f3010083b206c8913830e4"
        }
    ],
    "domains": [
        "scan.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com",
        "lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/secdriven/MAL-2026-4263.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]