MAL-2026-4586

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/intl-ad-routing/MAL-2026-4586.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4586

Published

2026-05-25T13:57:52Z

Modified

2026-05-26T06:02:37.480881703Z

Summary

Malicious code in intl-ad-routing (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (07b57475540583a4a2af3fb2d790f066c2e77742a704b3e5048c118f82cc8185)

intl-ad-routing@99.0.1 is a dependency-confusion squat targeting an internal @livingdesign/react namespace. On npm install, the package's preinstall hook (poc.js) executes shell commands to enumerate the installer's environment (ipconfig /all on Windows, ip a && cat /etc/resolv.conf on Linux) and collects hostname, username, install directory, network interfaces, the full list of process.env keys, and every npm_* environment variable (which can include npm registry auth tokens / _authToken values). The collected JSON is POSTed over HTTPS to d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me (an interactsh out-of-band collector), and a DNS callback encoding hostname+username is also issued. The package's own description states it is a 'Dependency Confusion PoC' for a bug-bounty program, but the lifecycle code runs on any installer that resolves this public version in place of the intended private package — without the installer's consent — and ships their host identifiers and potentially registry credentials to a third-party collector.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004672",
            "import_time": "2026-05-26T05:53:03.642944997Z",
            "sha256": "07b57475540583a4a2af3fb2d790f066c2e77742a704b3e5048c118f82cc8185",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:58Z",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "id": "IN-MAL-2026-004680",
            "import_time": "2026-05-26T05:53:04.565801989Z",
            "sha256": "10e3837ff1f1720b66da6fe03dcf8d5ab32177c318e5375fc88d990978001d8e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:10:44Z",
            "versions": [
                "99.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-004681",
            "versions": [
                "99.0.2"
            ],
            "sha256": "20e767fa3d23bb55ceda90b4d34559854342e89c669b04fe66a66efa489d7ffc",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:10:45Z",
            "import_time": "2026-05-26T05:53:04.671191569Z"
        },
        {
            "id": "IN-MAL-2026-004659",
            "import_time": "2026-05-26T05:53:02.281095859Z",
            "sha256": "2d3ae341070180b53327ce5da456cb167f93f03a5e37af73afb1401155b7b473",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:52Z",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004660",
            "versions": [
                "99.0.0"
            ],
            "sha256": "b5c85be0b31f62e2f721e9a0f515ca51c7d50d2e7e730796d6d9a1eca0552dff",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:57:53Z",
            "import_time": "2026-05-26T05:53:02.367833344Z"
        },
        {
            "id": "IN-MAL-2026-004673",
            "versions": [
                "99.0.1"
            ],
            "sha256": "efd808c6bb76d832791595474b8fa55fd98cfe51def0c027e66e7d2f16b5ee57",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T14:04:58Z",
            "import_time": "2026-05-26T05:53:03.730290898Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / intl-ad-routing

Package

Name: intl-ad-routing; View open source insights on deps.dev
Purl: pkg:npm/intl-ad-routing

Affected ranges

Affected versions

99.*

99.0.0

99.0.1

99.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/intl-ad-routing/MAL-2026-4586.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "poc.js",
            "sha256": "070584fedb3235d6c303ea8528830adb4416e67237d35f20282bc389e917f234",
            "tlsh": "493165d615f9647036b6fac0b0d6ad515367e333b54af8e42588098172cf9f181f52e4"
        },
        {
            "path": "package.json",
            "sha256": "575c59aeb9755bf8f3fe78360ee95d3b9796389495d9e2c6e6337c7b01219522",
            "tlsh": "01e07d781410102317d8c7fa15f64847a12cce0b11086c1a0f6334cc92eeba3417eb9d"
        }
    ],
    "package_integrity": [
        {
            "filename": "intl-ad-routing-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-gjl2nHZtvzDd83BHTvynm08CQLyLCTYf8l8Ff9jhIzSaJgupC7PD1CNVAxjIZh38FxyNqu3C3nQkLR1GG/oHig==",
                "sha1": "71809daf2a7b7e79e314fe44c6be41e8b46bd4a1"
            }
        }
    ],
    "domains": [
        "intl-ad-routing-7363616e2d34313036666434656337.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me",
        "d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"
    ]
}