MAL-2026-4589

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/itc-actors-api/MAL-2026-4589.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4589

Published

2026-05-25T13:48:41Z

Modified

2026-05-26T06:02:37.541559815Z

Summary

Malicious code in itc-actors-api (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6)

The package contains callback.js which collects host identifiers and user information (os.hostname(), os.userInfo(), os.platform(), cwd) and transmits them via an HTTPS request. The file structures the collected data with fields like hostname, username, and cwd — the canonical reconnaissance-beacon shape used by dependency-confusion / supply-chain reconnaissance campaigns. The package name and 99.0.0 version (a high-version-number pattern typical of dependency-confusion attacks targeting internal package names) further corroborate malicious intent. Installing or loading this package leaks identifying information about the installer's machine to an external endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "22687e1f7601dde1753d3775925d62d040892631394937e56e9b9fba74fb85c6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:48:41Z",
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-004653",
            "import_time": "2026-05-26T05:53:01.606003595Z"
        },
        {
            "sha256": "71febd3f98de8965afd1151fd7d6f363a4747fc8978e0d3a7e82d8f68d5aaf69",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:51:39Z",
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-004654",
            "import_time": "2026-05-26T05:53:01.703787382Z"
        }
    ]
}

References

https://www.npmjs.com/package/itc-actors-api/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / itc-actors-api

Package

Name: itc-actors-api; View open source insights on deps.dev
Purl: pkg:npm/itc-actors-api

Affected ranges

Affected versions

99.*

99.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/itc-actors-api/MAL-2026-4589.json"

indicators

{
    "domains": [
        "webhook.site",
        "scan-be4455b1da23.scan.itcactorsapi.dep.webhook.site"
    ],
    "package_integrity": [
        {
            "filename": "itc-actors-api-99.0.0.tgz",
            "hashes": {
                "sha1": "134a5330d6459f154736f5ab9ed60f504cfc0076",
                "sha512_sri": "sha512-7cZDCZT/3mR0+YJUfK4ubLw1nqHpMnQ6rhdkCNefVZeK2u6enY5BlxAuVzEKge63YK7LxyVDkeKADoX1tOT8dQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "callback.js",
            "tlsh": "c351b9a5b1b142601bf255c197eb314143b6e10b3a00e8a4bc9d43984f8db6c97b1eff",
            "sha256": "3b274d8b519340c575bf3b585270f382e7bbb407c47d9d35f01971c78ed63fde"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]