MAL-2026-4632

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/orca-website/MAL-2026-4632.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4632

Published

2026-05-22T19:36:29Z

Modified

2026-05-26T06:02:45.660353066Z

Summary

Malicious code in orca-website (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc)

On require()/import, index.js collects host identifiers (os.hostname(), os.userInfo().username, os.platform(), os.arch(), process.cwd(), process.pid, timestamp) and sends them as URL query parameters via HTTPS GET to a hardcoded Project Discovery Interactsh out-of-band collaborator at vwfmeddcdgidvdwpkigkg0l8us5vf3wtx.oast.fun. The package's stated name ('orca-website') has no relationship to host telemetry; package.json carries empty author, description, and keywords. Any consumer that imports this package unconditionally leaks installer-side host identification to an attacker-controlled OOB domain typically used for reconnaissance / dependency-confusion probing.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004249",
            "import_time": "2026-05-26T05:52:14.069946701Z",
            "sha256": "c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T19:36:29Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/orca-website/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / orca-website

Package

Name: orca-website; View open source insights on deps.dev
Purl: pkg:npm/orca-website

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "4e83a9038c807574bf3ca7daf2fc44d5fb4b394df7fa8f897e599cbbaa6432fa",
            "tlsh": "6411eff599f386a01dbb61c06586580590aed503bd0df8f87e4d43e01f854b545a16b4"
        },
        {
            "path": "package.json",
            "sha256": "573b7ddcc637479325755fd45b2272015c3cfd7022855ebf0756fee552c42763",
            "tlsh": "14e0c2285961993315c55252092d9043b360de5f00487c0c53cb582c82de5b358fe34e"
        }
    ],
    "package_integrity": [
        {
            "filename": "orca-website-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-BAcyThzeW8b01VCMymIsKLbEEcomb73k5aFeiGvSDPDCsdF4+PaZQklN4NIkKGrqpcbaPUyn2Ceia/BzedTRXg==",
                "sha1": "4c90aceabda035e5a59e095a7368783d7d736e5c"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/orca-website/MAL-2026-4632.json"