MAL-2026-4637

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constants/MAL-2026-4637.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4637

Published

2026-05-23T17:41:32Z

Modified

2026-05-26T06:02:49.149606081Z

Summary

Malicious code in pewter-constants (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5)

On npm install, a preinstall hook in callback.js collects os.hostname(), os.userInfo().username, process.cwd(), the configured npm registry (npm_config_registry), and CI repo identifiers (GITHUBREPOSITORY, CIPROJECTPATH, BUILDREPOSITORY_NAME) and HTTP-GETs them to http://75.119.137.232:31337/depconfuse. The package is shaped as a dependency-confusion squat: version 9999.0.0 to win semver resolution against an internal package of the same name, an empty index.js (module.exports = {}), and placeholder author/description metadata (Security Researcher, Security research placeholder). Any build that resolves pewter-constants from the public registry will install this package and silently leak its internal registry URL, CI repo path, and host/user identity to a third-party operator over plain HTTP. The 'security research' framing in the metadata does not change the installer-side impact — internal infrastructure is fingerprinted and disclosed without consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004369",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T17:41:32Z",
            "import_time": "2026-05-26T05:52:27.907183724Z"
        }
    ]
}

References

https://www.npmjs.com/package/pewter-constants/v/9999.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / pewter-constants

Package

Name: pewter-constants; View open source insights on deps.dev
Purl: pkg:npm/pewter-constants

Affected ranges

Affected versions

9999.*

9999.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constants/MAL-2026-4637.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "callback.js",
            "sha256": "681fd66df6380f3163de0c70cf621b81ada674401bd842b230dacd856933760a",
            "tlsh": "1901bde9828858341cc313c4be956c1e98d7d3523283d4c2ab1d31e167531b486f65b9"
        },
        {
            "path": "package.json",
            "sha256": "e9f0be861735561b1077eb4480e2423b803d53550cd916e30663e47342a2b1c6",
            "tlsh": "f3e06814381468332cf686e504719256a065cd1f641a3c0ea746008ce38efdb82fb19e"
        }
    ],
    "package_integrity": [
        {
            "filename": "pewter-constants-9999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-53NZh6fSnlnjnh8sr14zXFOJPp/I/eHg8J3jEpcDXaektjPfcLDo8wP9kSKG9wzKfSB9/AzbAujalxElFb75Hg==",
                "sha1": "aa893fd3ec98b42fabdd658e5434d0029b6f8458"
            }
        }
    ]
}