MAL-2026-4638

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constantstest/MAL-2026-4638.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4638

Published

2026-05-23T18:19:29Z

Modified

2026-05-26T06:02:49.171743542Z

Summary

Malicious code in pewter-constantstest (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (050b19d8dad7c8c1a626c953493c23b375e434128f38950625f82b0fb244eabe)

On npm install, the preinstall script callback.js collects the installer's hostname, OS username, current working directory, npm registry configuration, and CI repository identifiers from a broad list of CI environment variables (GITHUBREPOSITORY, CIPROJECTPATH, BUILDREPOSITORYNAME, BITBUCKETREPOFULLNAME, TRAVISREPOSLUG, DRONEREPO, BUILDKITEPIPELINESLUG, CIRCLEPROJECTREPONAME, JOBNAME) and transmits them via plaintext HTTP GET to the hardcoded bare IP http://75.119.137.232:31337/depconfuse. The package has no functional surface: index.js exports an empty object, the description is the generic Shared utility helpers., the README is 48 bytes, and the version is 9999.0.0 — the canonical dependency-confusion override version designed to win resolution against an internal package of the same name. The package exists solely to fire the beacon when an organization accidentally resolves this public name in place of a private/internal package, leaking the victim's identity and internal repo names to the attacker for follow-on targeting.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004379",
            "import_time": "2026-05-26T05:52:29.06066637Z",
            "sha256": "050b19d8dad7c8c1a626c953493c23b375e434128f38950625f82b0fb244eabe",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T18:19:29Z",
            "versions": [
                "9999.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/pewter-constantstest/v/9999.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / pewter-constantstest

Package

Name: pewter-constantstest; View open source insights on deps.dev
Purl: pkg:npm/pewter-constantstest

Affected ranges

Affected versions

9999.*

9999.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "callback.js",
            "sha256": "a109dbdaf89dcb8929613bf8787e9d015c8cdf58a1bcd33faa14e320a210f78a",
            "tlsh": "fc117bb9c78c1c3409c2178079686c1eb8fbe291338294917f2d71d26bb22b046b75b9"
        },
        {
            "path": "package.json",
            "sha256": "fcf70fd33bd71cf981f9d0ae8125b6915a33c328592fa612f662c07ee187827e",
            "tlsh": "5cd02e309b2258232cd8abd20c2a654202228e2b01083809278b801e55ae2a718bf28e"
        }
    ],
    "package_integrity": [
        {
            "filename": "pewter-constantstest-9999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Xk2f1WYmerSQB45gzioLW4XzfVMHVLAJhkBFqjfXbrc82a6SJSzLCVmZyYw6kGrAnn0w5CpdSKIH6g5mbXgNwg==",
                "sha1": "0e96eaf1325ffb6d1ad3af8f69990d5cfc43a122"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constantstest/MAL-2026-4638.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]