MAL-2026-4633

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-api-hub-service-client-v1/MAL-2026-4633.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4633

Published

2026-05-22T13:52:26Z

Modified

2026-05-26T06:02:45.664255711Z

Summary

Malicious code in osep-api-hub-service-client-v1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76)

package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install. index.js collects host identifiers — os.hostname(), os.userInfo() (username/uid/gid/shell), os.homedir(), process.platform, process.arch, process.cwd() — and additionally shells out via child_process to whoami and id. The collected JSON is POSTed to the hardcoded URL https://0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com/detox56, a Burp Collaborator (oastify.com) subdomain controlled by whoever published the package. The package name mimics an internal-sounding scoped client and ships with empty author/description metadata, consistent with a dependency-confusion attack targeting a private package namespace. Any developer or CI system that installs this package immediately leaks host and user identity to the attacker's Collaborator endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-22T13:52:26Z",
            "versions": [
                "10.9.1"
            ],
            "sha256": "35b827956cab8e1ef741b2291e076175d7e61e4c19cff7faaf4ff94cf6792620",
            "id": "IN-MAL-2026-004210",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:09.597331913Z"
        },
        {
            "modified_time": "2026-05-22T13:52:26Z",
            "versions": [
                "10.9.1"
            ],
            "sha256": "cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76",
            "id": "IN-MAL-2026-004209",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:09.498565128Z"
        }
    ]
}

References

https://www.npmjs.com/package/osep-api-hub-service-client-v1/v/10.9.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / osep-api-hub-service-client-v1

Package

Name: osep-api-hub-service-client-v1; View open source insights on deps.dev
Purl: pkg:npm/osep-api-hub-service-client-v1

Affected ranges

Affected versions

10.*

10.9.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "358592649438ef0e2e1176d3cafbc822adf727f6fffdea54524afd613e4ed9e3",
            "tlsh": "5c5152c515f65a241ba7b8494a4f9002a327e0033545ee55bfcc8340af8837c97f0bf2",
            "path": "index.js"
        },
        {
            "sha256": "fa9fd8adb20800478e419d98ed82b897834b64ef4937a406cef58b9475710292",
            "tlsh": "c1d05e648e62553329c506a24c2ba456b2729f2f54157c08a3df582c41ceb7798fe31c",
            "path": "package.json"
        }
    ],
    "domains": [
        "0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-YL3O0dgCurCqZ6c40W9LAyq+tIgl2XJRwRbbLtgfTowcuPE6A8xlLXpZSAgji+92PQnAmabSYUARQtZCFDk8kA==",
                "sha1": "f0380d53674f87e066935543c56fded022942ac5"
            },
            "filename": "osep-api-hub-service-client-v1-10.9.1.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-api-hub-service-client-v1/MAL-2026-4633.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]