MAL-2026-4424

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@remitee-money-transfer/rmt-base/MAL-2026-4424.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4424
Published
2026-05-21T20:41:29Z
Modified
2026-06-26T12:21:34.413599017Z
Summary
Malicious code in @remitee-money-transfer/rmt-base (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5f21c6601855c2f2d0a5d0761d3defe8c0ba1708dd2a67fb278c03e0abd6ba16)

Package ships only a preinstall lifecycle script (scripts/preinstall.sh) and no functional code. On npm install, the script reads /etc/passwd and /root/.ssh/id_rsa, fetches the host's public IP via ifconfig.me, and POSTs all three values to https://astralishmx.requestcatcher.com/BONK2 using curl -k (TLS verification disabled). The package is published under a scope impersonating Remitee (@remitee-money-transfer/rmt-base) at an inflated version (99.99.102) consistent with a dependency-confusion attack against a private internal package; the declared main: index.js does not exist in the tarball. The author handle (astralis) matches the exfiltration hostname, and requestcatcher.com is a free request-capture service commonly abused as a low-effort exfiltration sink. The combined fingerprint — install-time read of classic installer secrets, hardcoded attacker C2, namespace impersonation, dependency-confusion versioning, and absence of any legitimate code — leaves no benign interpretation.

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.99.102"
            ],
            "modified_time": "2026-05-21T21:03:56Z",
            "sha256": "0cc1b31fb75d4ce14f92cece467379772ae4de69fc124b044fd85fb5532ba28f",
            "id": "IN-MAL-2026-004031",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:48.387587206Z"
        },
        {
            "versions": [
                "99.99.104"
            ],
            "modified_time": "2026-05-22T18:38:37Z",
            "sha256": "3cbd95509c668d068d92db3ccc5083d85cf00c2c05d96931f89a352d6ab648f7",
            "id": "IN-MAL-2026-004242",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:13.265948171Z"
        },
        {
            "versions": [
                "99.99.102"
            ],
            "modified_time": "2026-05-21T21:03:55Z",
            "sha256": "5f21c6601855c2f2d0a5d0761d3defe8c0ba1708dd2a67fb278c03e0abd6ba16",
            "id": "IN-MAL-2026-004030",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:48.290325974Z"
        },
        {
            "versions": [
                "99.99.100"
            ],
            "modified_time": "2026-05-21T20:59:45Z",
            "sha256": "6526c0bb25f024565474beaf77c30272b152a2fe02cf1cece347968d41b5edb5",
            "id": "IN-MAL-2026-004027",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:47.888056164Z"
        },
        {
            "versions": [
                "99.99.99"
            ],
            "modified_time": "2026-05-21T20:41:29Z",
            "sha256": "906ca2ef612fe4aa96f94925f4a3f1c915867dcf79b5555ad4490477a9c8b5ca",
            "id": "IN-MAL-2026-004019",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:46.90284456Z"
        },
        {
            "versions": [
                "99.99.100"
            ],
            "modified_time": "2026-05-21T20:59:44Z",
            "sha256": "ed4ebf0f48294e950bcdf6cba604df70c185509480e27bccaed175ef6d8cc0ca",
            "id": "IN-MAL-2026-004026",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:47.687372269Z"
        },
        {
            "versions": [
                "99.99.99"
            ],
            "modified_time": "2026-05-21T20:41:29Z",
            "sha256": "fc537833cffcbc6cf7ec8f4c13f534faee5194d778be1e7d788dd1f062a793dc",
            "id": "IN-MAL-2026-004018",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:46.810617684Z"
        },
        {
            "versions": [
                "99.99.104"
            ],
            "modified_time": "2026-05-22T18:38:36Z",
            "sha256": "10364f6cc7a1f72576bc55c4e4e29010e4f4c99a725e685bdefbd91de450953a",
            "id": "IN-MAL-2026-004241",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:13.155970153Z"
        }
    ]
}
References
Credits

Affected packages

npm / @remitee-money-transfer/rmt-base

Package

Name
@remitee-money-transfer/rmt-base
View open source insights on deps.dev
Purl
pkg:npm/%40remitee-money-transfer%2Frmt-base

Affected ranges

Affected versions

99.*
99.99.99
99.99.100
99.99.102
99.99.104

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators 
{
    "package_integrity": [
        {
            "filename": "rmt-base-99.99.102.tgz",
            "hashes": {
                "sha512_sri": "sha512-oUBrgwGpxzJgJjNAFjjnwEGoN3vNM0evU6r+bT9Ksf4VxYx+4UKRmV6/QyiAwE/Dyas/omnzvJM331Qb1LUHpQ==",
                "sha1": "5337e95912888379421014261d7b2262d01cf58b"
            }
        }
    ],
    "domains": [
        "ifconfig.me",
        "astralishmx.requestcatcher.com"
    ],
    "evidence_files": [
        {
            "path": "scripts/preinstall.sh",
            "tlsh": "aec012d228502c32e6168b54da056528c106d6a31e55de40a279d76c1b8d5955296285",
            "sha256": "8ff8eabefdcda710226d55aeb0a9916c0cc5e6b8ae0ce8e7de288c4b4baf8bdb"
        },
        {
            "path": "package.json",
            "tlsh": "e0d0eb381f12a8336e6083a21e856816a1d086ae5410b83089cb651500a77f01acf206",
            "sha256": "8f02dd72e20e47f131adc4f2a374fd47687842d553b8b4c9361fb467740f70f3"
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@remitee-money-transfer/rmt-base/MAL-2026-4424.json"