MAL-2026-4629
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openmct-couch-plugin/MAL-2026-4629.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4629
- Published
- 2026-05-22T17:25:36Z
- Modified
- 2026-05-26T06:02:45.182471350Z
- Summary
- Malicious code in openmct-couch-plugin (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28)
On
npm install, the package'spreinstallscript runsnode index.jsand thencurls the output ofhostname && whoamitohttp://8irluql1d21jmq8tr5n5fyoxjopfdd12.oastify.com/nasa/couchrestore/over plain HTTP. The bundledindex.jsadditionally reads/etc/passwd, captureswhoami/id,os.hostname(),os.platform(),os.userInfo().username, the current working directory, and the first 30 entries ofprocess.env, then HTTPS-POSTs the JSON payload to a second hardcoded Burp Collaborator host (3nrgzlqwix6erldow0s0kttsojuai36s.oastify.com). Both endpoints are oastify.com out-of-band-application-security-testing infrastructure used for blind data exfiltration. The package name impersonates NASA's openmct ecosystem (the exfil path/nasa/couchrestore/reinforces the lure), the package description falsely claims to be an AWS CDK SageMaker workflow, and the README contains the string 'Takeover By l0bo'. Installer harm is unconditional and fires before any user code runs. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:12.204194858Z", "versions": [ "1.0.0" ], "sha256": "3c1380885956f163ad3cb8a1d2cf1221fa8bcb39aa2bdf7dcc3df83ab5ce8056", "id": "IN-MAL-2026-004232", "source": "amazon-inspector", "modified_time": "2026-05-22T17:25:36Z" }, { "modified_time": "2026-05-22T17:37:49Z", "versions": [ "1.0.2" ], "sha256": "4f246b80cd72ab384a5270f974631d20ebddac7ccac137434102dfdbfd0ea9db", "id": "IN-MAL-2026-004235", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:12.516853886Z" }, { "modified_time": "2026-05-22T17:36:36Z", "versions": [ "1.0.1" ], "sha256": "ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28", "id": "IN-MAL-2026-004234", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:12.419917902Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / openmct-couch-plugin
Package
- Name
- openmct-couch-plugin
- View open source insights on deps.dev
- Purl
- pkg:npm/openmct-couch-plugin
Database specific
indicators
{
"evidence_files": [
{
"sha256": "790c447c7022ed1e593905586aaa25f8e364fbde839816bc246e13ff22db22f0",
"tlsh": "e0411d9424f9953476f36d81b18359237b63f7023806f5a0badc03895bc9be45172ab9",
"path": "index.js"
},
{
"sha256": "9bb658fbdb3ea6e9cfe5b3a917364e6005db35bd202c310c49e9b60f19b07539",
"tlsh": "21e0d12849b493b311d406e4e8fd459665615d174176bc6823c3d01c87cdea348be688",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "openmct-couch-plugin-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-F2cZDhJTBK+g7lpQOeYbY++42KZpgSOlqGa2R7khEOwHOyW/5ATW1kiJv8O3Wm5qI6K6+VxvbjVfmZlioJGQqg==",
"sha1": "9b39fbf63fbaddf416d3879e3e6eb999458adf11"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openmct-couch-plugin/MAL-2026-4629.json"