MAL-2026-4565
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fnd-stores/MAL-2026-4565.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4565
- Published
- 2026-05-21T19:57:35Z
- Modified
- 2026-05-26T06:02:33.130354582Z
- Summary
- Malicious code in fnd-stores (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (62c9035e303ec731c71c689ed77eed17b245cd4adc475cb616ff94991539aa56)
On
npm install, the package's postinstall hook runsnode index.js, which collects the installer's hostname, OS platform, current working directory, CI environment indicators, Node version, and OS username viaos.hostname(),os.platform(),os.userInfo(),process.cwd(), and process env, and POSTs the payload as JSON tohttps://webhook.site/604bab71-0179-419e-998e-6f15e524bfd7(a publisher-controlled webhook bin). The README self-describes the package as a dependency-confusion canary targeting an internal package namespace, and the name is chosen to collide with that internal scope. Any developer or build pipeline that resolves this package leaks internal hostnames, usernames, working-directory paths, and CI job metadata to a third party at install time, without consent. Claimed 'authorized research' status does not change the installer-side harm. - Database specific
{ "malicious-packages-origins": [ { "sha256": "0ffc68b4ac2b7db114c3c44fa1a89b5ee6cd0e1a25a083513e9213549a311384", "source": "amazon-inspector", "modified_time": "2026-05-24T21:28:45Z", "import_time": "2026-05-26T05:52:49.600388174Z", "versions": [ "0.0.7" ], "id": "IN-MAL-2026-004553" }, { "sha256": "62c9035e303ec731c71c689ed77eed17b245cd4adc475cb616ff94991539aa56", "source": "amazon-inspector", "modified_time": "2026-05-24T21:28:44Z", "import_time": "2026-05-26T05:52:49.499146475Z", "versions": [ "0.0.7" ], "id": "IN-MAL-2026-004552" }, { "sha256": "70481954c70dee24f0745b6784c3499f98cd0bdb3beee58efeea1d5245f73491", "source": "amazon-inspector", "modified_time": "2026-05-21T19:57:35Z", "versions": [ "0.0.6" ], "id": "IN-MAL-2026-004007", "import_time": "2026-05-26T05:51:45.558062984Z" }, { "sha256": "d1d7f2066249d7a3e4ddc55ec1c1f28c865787e5d745503e8d656ed74a428570", "source": "amazon-inspector", "modified_time": "2026-05-21T19:57:35Z", "versions": [ "0.0.6" ], "id": "IN-MAL-2026-004006", "import_time": "2026-05-26T05:51:45.461111071Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / fnd-stores
Package
- Name
- fnd-stores
- View open source insights on deps.dev
- Purl
- pkg:npm/fnd-stores
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fnd-stores/MAL-2026-4565.json"
indicators
{
"domains": [
"webhook.site"
],
"package_integrity": [
{
"filename": "fnd-stores-0.0.7.tgz",
"hashes": {
"sha1": "f2e0f88e33b69625963ea267e9de335a52b26215",
"sha512_sri": "sha512-ZIC3XuLN3bRLOdf+HFLFjmW0kTP9SXd19FVCudMT9tG7sGTBVThkFJZW4F0ow/Uc3nu5eR9moWkw0DbZDPN09A=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "f1018ef883d998601ef9e780745c880b55b6f041734370a06fb0612a7b783b405b28ab",
"sha256": "8aa0cbe03d08806629336369b0f854e0283908dea9a4654e795c2044ddd56825"
},
{
"path": "README.md",
"tlsh": "21d02b1ffb1515304195099b2420555b68f5c834b61605a5a8490b4e725d69cd321190",
"sha256": "73877f42c4e33da5d6f6a406edff1ba01db55ba2f8a4dbec8568591988edeb5e"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]