MAL-2026-4265
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@asavie/i18n/MAL-2026-4265.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4265
- Published
- 2026-05-23T14:52:50Z
- Modified
- 2026-05-26T06:01:51.669276117Z
- Summary
- Malicious code in @asavie/i18n (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040)
@asavie/i18n@99.0.0 is a dependency-confusion package targeting an unclaimed npm scope. Its package.json declares a
preinstallhook that runsnode callback.js, which onnpm installreadsos.hostname()and the output ofwhoami(callback.js L23, L28) and transmits them to the attacker-controlled out-of-band collectord88r3mao12pqka8tg04gn4ychek66c3wj.oast.site(an Interactsh subdomain) via both a DNS A-record lookup and anhttps.get()request with the data base64url-encoded into the subdomain (callback.js L21, L37, L46). Version99.0.0and the squat on the@asaviescope are the canonical dependency-confusion shape — any build that mistakenly resolves this scope from public npm leaks identifying host data to the publisher. The tarball additionally ships an unrelated ~123 MBgoogle-chrome-stable_current_amd64.debthat is not referenced by any code path; it is not executed but represents either staging or registry abuse. Author claims of 'authorized research' are unverifiable by installers and do not change the installer-side outcome: unsolicited exfiltration of host identifiers onnpm install.Source: ossf-package-analysis (c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803)
The OpenSSF Package Analysis project identified '@asavie/i18n' @ 99.0.1 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803", "import_time": "2026-05-23T15:28:34.273184353Z", "versions": [ "99.0.1" ], "modified_time": "2026-05-23T15:10:47Z", "source": "ossf-package-analysis" }, { "source": "ossf-package-analysis", "import_time": "2026-05-23T16:50:06.156630627Z", "sha256": "c90149499c9faecb4948903496d7a99bd57f787ed20b7e4e0328d932cd89d96a", "modified_time": "2026-05-23T16:35:32Z", "versions": [ "99.0.3" ] }, { "id": "IN-MAL-2026-004342", "versions": [ "99.0.0" ], "source": "amazon-inspector", "modified_time": "2026-05-23T14:52:50Z", "sha256": "e4fec4f800c855729363575ea3ab7f2b6defc5aa0de71d2f1a5895a3db69bb27", "import_time": "2026-05-26T05:52:24.76185584Z" }, { "source": "amazon-inspector", "versions": [ "99.0.1" ], "sha256": "3564af29bcc73620093aecb81252259e227011d411a609130c82c9004fb02586", "modified_time": "2026-05-23T15:00:31Z", "import_time": "2026-05-26T05:52:24.857316692Z", "id": "IN-MAL-2026-004343" }, { "id": "IN-MAL-2026-004344", "import_time": "2026-05-26T05:52:24.958276192Z", "versions": [ "99.0.1" ], "modified_time": "2026-05-23T15:00:32Z", "source": "amazon-inspector", "sha256": "7e403fc0ec28bb05f955dad212fb2b83e7f2143dddd57385b0beac5626fbd99d" }, { "source": "amazon-inspector", "versions": [ "99.0.3" ], "sha256": "96b50c34d5d5e18e0c6abe89f65dca503cbc25b831d29cf0862df0d3c6b464b1", "modified_time": "2026-05-23T15:59:33Z", "import_time": "2026-05-26T05:52:26.253325979Z", "id": "IN-MAL-2026-004354" }, { "source": "amazon-inspector", "versions": [ "99.0.3" ], "sha256": "a73d77d4aaaafa5e736bc16da0eedee95e34c5ad31edd3abee306c8c8015158b", "modified_time": "2026-05-23T15:59:33Z", "import_time": "2026-05-26T05:52:26.350803682Z", "id": "IN-MAL-2026-004355" }, { "source": "amazon-inspector", "import_time": "2026-05-26T05:52:24.648092427Z", "sha256": "d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040", "modified_time": "2026-05-23T14:52:50Z", "id": "IN-MAL-2026-004341", "versions": [ "99.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @asavie/i18n
Package
- Name
- @asavie/i18n
- View open source insights on deps.dev
- Purl
- pkg:npm/%40asavie%2Fi18n
Database specific
indicators
{
"package_integrity": [
{
"filename": "i18n-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-dYrlHHgkJyc37sqj6jXlDc5sg91nYT0+Ax01Mf2jSDsxILyHf3VW4C5GOLZJk9NF3lzzJb6/U7yQLFd8WYhhXg==",
"sha1": "7986d67e9b1ca8c93b796d51b5d0f9d8de488dc2"
}
}
],
"evidence_files": [
{
"sha256": "9ca346964801019aa05f2563d830f13878d5692cca17d896e9a23add9b4ae582",
"tlsh": "f74186b923f1433015a319d1075f6364026be297b921e9e074fd03484f476aed323ee9",
"path": "callback.js"
},
{
"sha256": "9d3252c9f72c9812b7ae69177001b915400849291d60663d63f8074128bbfe15",
"tlsh": "5ef0d4b49434993319f843d61678d14db029ed4fdc449d1f56c3058c936e5f3067d28d",
"path": "package.json"
}
],
"domains": [
"asavie-i18n.scan-9bd78a93bd58.scan.tfhvz0.d88r3mao12pqka8tg04gn4ychek66c3wj.oast.site"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@asavie/i18n/MAL-2026-4265.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]