MAL-2026-4634

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-react-antd/MAL-2026-4634.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4634

Published

2026-05-22T14:04:36Z

Modified

2026-05-26T06:02:46.266055766Z

Summary

Malicious code in osep-react-antd (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb)

package.json declares preinstall: node index.js, which runs automatically on npm install. index.js collects host identifiers (os.hostname(), process.platform, arch, os.homedir(), os.userInfo() including uid/gid/username/shell, cwd) and the output of whoami and id via child_process, then POSTs the JSON payload to a hardcoded URL https://qtn11857tbs7r8jtj0bj2250xr3jrafz.oastify.com/detox56. The oastify.com host is Burp Suite Collaborator out-of-band infrastructure used to receive callbacks from compromised installers. The package name mimics React/Ant Design naming conventions and ships empty author/description/license metadata with no functional code beyond the beacon — the dependency-confusion squat shape. Installer harm: every npm install of this package leaks the installer's hostname, username, uid/gid, and shell to the attacker, identifying internal corporate environments and CI runners for follow-on targeting.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004212",
            "import_time": "2026-05-26T05:52:09.882897463Z",
            "sha256": "9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T14:04:36Z",
            "versions": [
                "10.10.11"
            ]
        },
        {
            "id": "IN-MAL-2026-004213",
            "versions": [
                "10.10.11"
            ],
            "sha256": "9dcc00a5c8ddc89b443480d79e52a071516f70ae6ed584eb55866c7b5297383f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T14:04:37Z",
            "import_time": "2026-05-26T05:52:10.014487093Z"
        }
    ]
}

References

https://www.npmjs.com/package/osep-react-antd/v/10.10.11

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / osep-react-antd

Package

Name: osep-react-antd; View open source insights on deps.dev
Purl: pkg:npm/osep-react-antd

Affected ranges

Affected versions

10.*

10.10.11

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "6e4e841afa6316d1f03cf17c94c2da05440872f74448180bcd086b367c86bf1a",
            "tlsh": "135141c515f656251ba7b8494a4f9402a327e0033509ee55bfcc8340af8837c9bf0bf6"
        },
        {
            "path": "package.json",
            "sha256": "dde96b4fa8155a134e7d81c015cba43f25f93e0f856bf85e8dc49496507bd795",
            "tlsh": "e4d05e204d21553369c106a34c2b945672a19f2f04043c08a3cb692d418eb7788fa30d"
        }
    ],
    "package_integrity": [
        {
            "filename": "osep-react-antd-10.10.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-KAGFz9HnmdYA+ZLHWuF7k/IKtPYCH9If/h4vaUq05OEHmsJEj847bet+6V+1wMCTypSWFuCmNjrk7hza8AJ8kw==",
                "sha1": "4a9c4cc9f8ce029c6d377e0ea81fcd8ea7df4052"
            }
        }
    ],
    "domains": [
        "qtn11857tbs7r8jtj0bj2250xr3jrafz.oastify.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-react-antd/MAL-2026-4634.json"