MAL-2026-4418

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pluxee-connect/api-client/MAL-2026-4418.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4418
Published
2026-05-20T03:57:26Z
Modified
2026-07-09T09:32:05.872711410Z
Summary
Malicious code in @pluxee-connect/api-client (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9)

On npm install, postinstall.js collects os.hostname(), os.userInfo(), and process.version and transmits them over plain HTTP to 716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com (a Burp Collaborator out-of-band interaction subdomain), with DNS resolution providing a second exfil channel via subdomain encoding. The package itself is a near-empty shell — index.js exports only a ConsentsStatus enum — and is published at version 99.0.1, far above any plausible legitimate release for the @pluxee-connect scope. The structural shape (high-bumped version + trivial functional surface + lifecycle-time OOB beacon to oastify.com) is the canonical dependency-confusion attack against an internal scope. Any developer or CI system that resolves @pluxee-connect/api-client from public npm will leak machine identifiers to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T03:57:26Z",
            "id": "IN-MAL-2026-003448",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:39.767477875Z",
            "sha256": "0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "modified_time": "2026-05-20T03:58:21Z",
            "id": "IN-MAL-2026-003450",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:39.993445116Z",
            "sha256": "5341a62046be72550e2251f1daefebf8aa8fd5337959f11f22737608594a76df",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "sha256": "b0338c8fd88c7019dff2cc27c111ec86d5058d80013a0b1912f1202740fd1a64",
            "id": "IN-MAL-2026-003449",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:39.863581136Z",
            "modified_time": "2026-05-20T03:57:26Z",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "modified_time": "2026-05-20T03:58:21Z",
            "id": "IN-MAL-2026-003451",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:40.133834727Z",
            "sha256": "c1ff45fd41f66a6b9354fd1981f206045aaab32760562d6fcf01ba69612d89fb",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "modified_time": "2026-07-07T12:26:53Z",
            "id": "RLMA-2026-04769",
            "source": "reversing-labs",
            "import_time": "2026-07-09T09:15:58.796982988Z",
            "sha256": "ec1fabbdcb15e2474aae7f0b02d7dc122a7d0a153b5ab59e77091b48ad45a9a8",
            "versions": [
                "99.0.0",
                "99.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @pluxee-connect/api-client

Package

Name
@pluxee-connect/api-client
View open source insights on deps.dev
Purl
pkg:npm/%40pluxee-connect/api-client

Affected ranges

Affected versions

99.*
99.0.0
99.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "tlsh": "e4016de449e4d63019fa15c8b75b481e50dbe242795bdcc0b8bf42d00f675394660ab8",
            "sha256": "2f025ff9cd5d04b4e0b365e6b7e7750c4e8d26d1872e4a53a704e14057f9046d"
        },
        {
            "path": "package.json",
            "tlsh": "b6d02b208519053324c81754dc774a475bb34e27111c381813c7217c47bd33b58bf25f",
            "sha256": "3d4f20f0fcd918c479e33a05b4a9c46d76aa30f91e1aff90c60c689efbe3cecf"
        }
    ],
    "package_integrity": [
        {
            "filename": "api-client-99.0.1.tgz",
            "hashes": {
                "sha1": "ad6344ac0dce2a95a42349f110a911d684587a62",
                "sha512_sri": "sha512-cfJNKJ6rBFmR33uNxq+NBHqWieEMhmSP9Vw5XTxE3S3RthwUbHOmHf3ZU6B/AynX1Dh2ai0/CzHW9Y326+BEgQ=="
            }
        }
    ],
    "domains": [
        "scan-e1ba26a7c847.scan.716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com",
        "716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pluxee-connect/api-client/MAL-2026-4418.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]