MAL-2026-4479

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/anthropic-shared-logger/MAL-2026-4479.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4479

Published

2026-05-21T00:09:42Z

Modified

2026-05-26T06:02:14.050794507Z

Summary

Malicious code in anthropic-shared-logger (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e54ef50a83e2f379965286ed404d16ca3389a9ce5c8593718ef4e6f307cc6084)

This package impersonates Anthropic's internal namespace and self-describes as 'Full RCE PoC - Alex Birsan Style'. Its package.json declares a postinstall hook that, on every npm install, fetches the installer's public IP from api.ipify.org, runs id || ver && whoami && hostname via child_process.exec, and POSTs the hostname, current working directory, USERDOMAIN/COMPANY environment variables, IP address, and command output to a hardcoded Interactsh OOB endpoint at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun over plain HTTP. The combination of namespace impersonation, automatic install-time shell execution, and host reconnaissance exfiltration to attacker-controlled out-of-band infrastructure is a canonical Birsan-style dependency confusion attack. Any build system that mis-resolves this name to the public registry leaks identity and host data to the attacker, enabling targeted follow-on compromise.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003657",
            "versions": [
                "8.0.5"
            ],
            "sha256": "754f7dc4855ecb1df012814bf5ec92a861958b7af0027d88d0a2cb918793cdce",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:09:42Z",
            "import_time": "2026-05-26T05:51:03.407406712Z"
        },
        {
            "id": "IN-MAL-2026-003656",
            "import_time": "2026-05-26T05:51:03.295053925Z",
            "sha256": "e54ef50a83e2f379965286ed404d16ca3389a9ce5c8593718ef4e6f307cc6084",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:09:42Z",
            "versions": [
                "8.0.5"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/anthropic-shared-logger/v/8.0.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / anthropic-shared-logger

Package

Name: anthropic-shared-logger; View open source insights on deps.dev
Purl: pkg:npm/anthropic-shared-logger

Affected ranges

Affected versions

8.*

8.0.5

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "c5ee2909d9b5fd81e5446da44cb585c48d5d0847c88622a2e13e9a15894df7ea",
            "tlsh": "8b1179f0dac4d5b9a3d107f97d43d501fd23e75911105cb0e96c16414b45170259be9c"
        }
    ],
    "package_integrity": [
        {
            "filename": "anthropic-shared-logger-8.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-qd0sKM/4kBkd83Ne7r8kz0CwuiO+awnOeF1bWE+MHBnxJYNsny6ImoFvvaw7YtQF3nVAL05PrHKisfKRXtTRgA==",
                "sha1": "42ac708d3461fe7c7e6b03558034a794f4cc49d3"
            }
        }
    ],
    "domains": [
        "api.ipify.org"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/anthropic-shared-logger/MAL-2026-4479.json"