MAL-2026-4635

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/payment-account-input-selector/MAL-2026-4635.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4635

Published

2026-05-21T10:54:34Z

Modified

2026-05-26T06:02:49.074046913Z

Summary

Malicious code in payment-account-input-selector (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (12187e6fb4ae4d3a411cea0c3ec8b995e1091a9cf78219db9fbcdac87540aabf)

On npm install, preinstall.js collects hostname, username, platform, cwd, timestamp, and a full dump of os.networkInterfaces() and HTTP-GETs them as query parameters to a hardcoded Burp Collaborator (oastify.com) endpoint. Errors are silently swallowed (the source comment notes 'Silent fail to avoid detection'). The package's metadata advertises an Oracle JET payment account selector but ships only a 5-line stub for index.js — the only real logic is the install-time beacon. The combination of empty author metadata, generic 'oracle/jet/payment' keywords, hollow main entry, and a recon-only preinstall is consistent with a dependency-confusion probe against an internal Oracle JET package name, with installer host/network topology exfiltrated to the attacker's OAST collector.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "12187e6fb4ae4d3a411cea0c3ec8b995e1091a9cf78219db9fbcdac87540aabf",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T10:54:34Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-003800",
            "import_time": "2026-05-26T05:51:20.359843654Z"
        },
        {
            "sha256": "7b74f6fab946732374a26dc312d5c41e59e54ec1391b4360f7acb918644d109d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T10:54:34Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-003801",
            "import_time": "2026-05-26T05:51:20.465695223Z"
        }
    ]
}

References

https://www.npmjs.com/package/payment-account-input-selector/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / payment-account-input-selector

Package

Name: payment-account-input-selector; View open source insights on deps.dev
Purl: pkg:npm/payment-account-input-selector

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/payment-account-input-selector/MAL-2026-4635.json"

indicators

{
    "domains": [
        "hxip7klpzbucongciitep20es5ywmvak.oastify.com"
    ],
    "package_integrity": [
        {
            "filename": "payment-account-input-selector-1.0.0.tgz",
            "hashes": {
                "sha1": "485ed9e4b60f1fc9656c70d93c89dc42549fab7c",
                "sha512_sri": "sha512-axOPILYT5JNVjcSulT+Z1jUZ1uWh3WSm1ud3Nlz6i5FOMRrf3OLto5Ltw4sLEKnym4Ru2g8QdqEEprDIJEECbA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "preinstall.js",
            "tlsh": "ce0112b054b6a2e02df117c050a11636f1ffe214bd1171977cfa03c847198318711a77",
            "sha256": "7812bf4d47dbc9ed9d444cc159bbcb088247f1d7cd9ba349b7306a690b7b2963"
        },
        {
            "path": "package.json",
            "tlsh": "1ad02b342820a83328c68ab12d63e14eb3a28d5b40003c0ca3c3001406de97386bb55f",
            "sha256": "dcbf8282460431a407d04522885b2b127fc4343b5b7a396d80dc5948832ac36a"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]