MAL-2026-4537
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cosmosdb-server/MAL-2026-4537.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4537
- Published
- 2026-05-23T15:32:58Z
- Modified
- 2026-05-26T06:02:24.726334909Z
- Summary
- Malicious code in cosmosdb-server (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76)
Package squats the unscoped name
cosmosdb-server, targeting users who mistypenpx cosmosdb-serverinstead of the scoped@vercel/cosmosdb-server. The package.json declaresbin: {"cosmosdb-server": "./index.js"}and self-describes as a 'bin-mismatch PoC' for the Vercel package. When invoked (vianpx,binexecution, orrequire()), index.js collectsos.hostname(),process.cwd(),process.platform,process.arch, and a timestamp and POSTs them to a hardcoded endpoint athttps://callback-monitor.cyb3rsh4ykh.workers.dev/c, controlled by the package author. The 'security research / responsible disclosure' framing in the description does not constitute installer consent — the package is published live on the public registry under a name designed to capture mistyped invocations, and victims have no opportunity to opt out before their host identity and working-directory path are exfiltrated. Combination of (a) ≤2-edit name confusion against a scoped Vercel package, (b) hardcoded attacker-controlled exfil endpoint, and (c) immediate-on-execution data collection meets the typosquat-with-installer-harm threshold. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-23T15:32:58Z", "versions": [ "0.0.1" ], "sha256": "925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76", "id": "IN-MAL-2026-004347", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:25.316264978Z" }, { "modified_time": "2026-05-23T16:12:29Z", "versions": [ "0.0.2" ], "sha256": "bd70e10e2c7d65e7513de4b24cf12a84b72c2b9bc60c308193d16e556579cbc8", "id": "IN-MAL-2026-004359", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:26.798984862Z" }, { "modified_time": "2026-05-23T16:12:19Z", "versions": [ "0.0.2" ], "sha256": "92604ddb032b222715131556ae2bd43c107849724e592697f99782131d461e0c", "id": "IN-MAL-2026-004358", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:26.669356548Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / cosmosdb-server
Package
- Name
- cosmosdb-server
- View open source insights on deps.dev
- Purl
- pkg:npm/cosmosdb-server
Database specific
indicators
{
"domains": [
"callback-monitor.cyb3rsh4ykh.workers.dev"
],
"evidence_files": [
{
"sha256": "f9bfe1d95b9d03bce089fa359d667f50c26e152716ef66b1e7ec041c82dabe62",
"tlsh": "5421d0d192da62252ae5adc070b33e4ba397c534f702a451668501e56ff98b8cc912cb",
"path": "index.js"
},
{
"sha256": "e34d03f70361706f92abdb54a351b19f7e590bdcc66969b516de088e9727bb00",
"tlsh": "b6e026336414c22b69e815981c302a9a7e248b521344790c035b8309e29cab182b8359",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-rhcCK9+hYuGF5+9xwGW5rNeFNbsc0sODUZjX9X78A61ZrbBZGLJgSZCdcOfiHwbbhQm0QhY5SC/u1Av2/F4fNQ==",
"sha1": "fb01c47a48f091401ea19d86b9b772665f1b0cfd"
},
"filename": "cosmosdb-server-0.0.1.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cosmosdb-server/MAL-2026-4537.json"