MAL-2026-4389

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@flipbit2-bb/test-auth-state/MAL-2026-4389.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4389

Published

2026-05-20T02:09:32Z

Modified

2026-05-26T06:01:48.992056916Z

Summary

Malicious code in @flipbit2-bb/test-auth-state (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63)

On npm install, a postinstall script (phone-home.js) collects os.hostname(), os.userInfo().username, process.platform + os.release(), a timestamp, and a package label, then issues an HTTPS GET to https://webhook.site/a536b433-b440-43ec-8399-26059196216e. The package is published under @flipbit2-bb/test-auth-state but the bundled tarball, README, and the phone-home payload's v field all identify as @atlassiansox/cross-flow-support@99.99.99 — a dependency-confusion targeting of Atlassian's internal scope, with version 99.99.99 chosen to win internal-vs-public resolution. Any installer who pulls this package — not just the intended target — leaks host identifiers to the author's webhook.site endpoint. The package has no other functionality.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:33.781123824Z",
            "versions": [
                "0.0.2"
            ],
            "sha256": "52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63",
            "id": "IN-MAL-2026-003395",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:09:32Z"
        },
        {
            "modified_time": "2026-05-20T02:09:32Z",
            "versions": [
                "0.0.2"
            ],
            "sha256": "f5b20d9f984339db71670891222b3ac823f16fc30dca773e09a111b0b3fed8fa",
            "id": "IN-MAL-2026-003396",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:33.877725996Z"
        }
    ]
}

References

https://www.npmjs.com/package/@flipbit2-bb/test-auth-state/v/0.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @flipbit2-bb/test-auth-state

Package

Name: @flipbit2-bb/test-auth-state; View open source insights on deps.dev
Purl: pkg:npm/%40flipbit2-bb%2Ftest-auth-state

Affected ranges

Affected versions

0.*

0.0.2

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "bb3a363aaff81a01b9609fee2a357f03d77cc3fc256eda6305c3bbd5bb1a76da",
            "tlsh": "230156e437f59578149d50d0b7663f0be257e6083149f4d0ecad538482c50f026b1676",
            "path": "phone-home.js"
        },
        {
            "sha256": "89c061e3c0ac9f28052f0e03e7346c2e76ad001c0ec62272dde1bea533bb069c",
            "tlsh": "c5f08128a614073725c9571829667513b12dceeb130ddc0423d71204039e7f7473a18d",
            "path": "package.json"
        }
    ],
    "domains": [
        "webhook.site"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CcKRZ1NHRpXpnskD6XW8u/Ym+obsnzW6WT6LoPtiJNQfLNg9D2/K9eOKem233X06SSE0dlwgn9sS/wgFt6BoGw==",
                "sha1": "736404baf3cc2a4f9cf3c123b5cb1437abfbd233"
            },
            "filename": "test-auth-state-0.0.2.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@flipbit2-bb/test-auth-state/MAL-2026-4389.json"