MAL-2026-4535

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configcat-trello-powerup/MAL-2026-4535.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4535

Published

2026-05-21T20:42:44Z

Modified

2026-05-26T06:02:23.032527412Z

Summary

Malicious code in configcat-trello-powerup (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b)

package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers) and reads sensitive system files (/etc/passwd, /etc/hosts) plus package metadata, then HTTPS POSTs the bundle to a hardcoded Burp Collaborator subdomain hzklpyrf8gdhgtycz16veroqihobc10q.oastify.com. The package ships no real functionality — empty description, empty author, and a name resembling a plausible internal Trello/ConfigCat integration — fingerprint of a dependency-confusion squat whose only purpose is to beacon installer-side data to the attacker for follow-on targeting.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T20:42:45Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "408ece81736dc366c6b5bbe4bb43186d622df67d9c0b675ace108f1b74439a08",
            "id": "IN-MAL-2026-004021",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:47.124944843Z"
        },
        {
            "modified_time": "2026-05-21T20:42:44Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b",
            "id": "IN-MAL-2026-004020",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:47.000707196Z"
        }
    ]
}

References

https://www.npmjs.com/package/configcat-trello-powerup/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / configcat-trello-powerup

Package

Name: configcat-trello-powerup; View open source insights on deps.dev
Purl: pkg:npm/configcat-trello-powerup

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "domains": [
        "hzklpyrf8gdhgtycz16veroqihobc10q.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "47ea228c1e6b0bc159ec4969626ee46225f34bf28d1b67ace3f1490edec744c7",
            "tlsh": "20412595a2c917330dd110c0aa0c70843359fa777259a99076cf42979f869f8b7326f3",
            "path": "index.js"
        },
        {
            "sha256": "561b5f240097ab83193579f01bf82891f9a422539f3593a62170a96ed23c2e0a",
            "tlsh": "98d0a7344d22553325c506a64c2b945776718f6f05143c0863cb583c91de6b798ff34d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "configcat-trello-powerup-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-H1GyUfahI3l7R2U4XWyLsnn0ntVOpamUguGgaPf0A4bCg7nDoWR/N4ZAFuZQyMoRZj/QksyR4Nrg4tQ0r6tmxQ==",
                "sha1": "c0577625311533f87eea15b524de2339424c41d8"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configcat-trello-powerup/MAL-2026-4535.json"