MAL-2026-4614

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/moneykit-cardano-demo/MAL-2026-4614.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4614

Published

2026-05-21T19:19:36Z

Modified

2026-05-26T06:02:42.971663378Z

Summary

Malicious code in moneykit-cardano-demo (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects host identifiers and OS files — os.hostname(), os.userInfo().username, home directory, DNS servers, /etc/passwd, /etc/hosts, and the consumer's full package.json — and HTTPS-POSTs the JSON payload to bixf8sa9rawbznh6ivppxl7k1b72vtji.oastify.com, a Burp Collaborator subdomain. The package ships no functionality matching its name; metadata is empty (no author, description, or license). The name moneykit-cardano-demo resembles an internal/private namespace and is consistent with a dependency-confusion reconnaissance package targeting an organization's internal scope. Installer harm: every npm install of this package leaks host identity, the local user account, OS-level files (/etc/passwd, /etc/hosts), and the consumer project's package.json contents to the attacker, providing target identification and the foothold data needed for follow-on attacks.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e",
            "modified_time": "2026-05-21T19:19:36Z",
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-003998",
            "import_time": "2026-05-26T05:51:44.309428Z"
        },
        {
            "sha256": "f81e8eff0e7705526162dee2bf6cd4d92c29250434a706de54e3381cc405bacf",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T19:19:36Z",
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-003999",
            "import_time": "2026-05-26T05:51:44.483049443Z"
        }
    ]
}

References

https://www.npmjs.com/package/moneykit-cardano-demo/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / moneykit-cardano-demo

Package

Name: moneykit-cardano-demo; View open source insights on deps.dev
Purl: pkg:npm/moneykit-cardano-demo

Affected ranges

Affected versions

1.*

1.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/moneykit-cardano-demo/MAL-2026-4614.json"

indicators

{
    "domains": [
        "bixf8sa9rawbznh6ivppxl7k1b72vtji.oastify.com"
    ],
    "package_integrity": [
        {
            "filename": "moneykit-cardano-demo-1.1.0.tgz",
            "hashes": {
                "sha1": "ed1e093fffb64f5e2a3d1ef52b03ddc786cd6a39",
                "sha512_sri": "sha512-qGv10hq/LrvcTEYqPeyYkxrUKZwMzZMkHhCgmhv7ZkofkVeTPOonxNucR9FWdO589ut6O7b0FzYLD8HshAgF6Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "6c412399a2c917330de210c06a0c70852359fa777169e8d076cf4296af869f8b7326f3",
            "sha256": "ac995929995fb8c81e19121444b5b5d6ef240645ac9435ab113776ebc6c0d61a"
        },
        {
            "path": "package.json",
            "tlsh": "92d05e204e21657365c606a2482aa597a2618e2f05043c0867cb282c82dea77a8fa34d",
            "sha256": "4337b8999b604889dc97e99ee6efd2bb327c0b9b9fbebb2365bc6d4cdbd663f0"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]