MAL-2026-4650

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pubnub-moderation-tool/MAL-2026-4650.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4650
Published
2026-05-21T19:56:38Z
Modified
2026-05-26T06:02:52.135924550Z
Summary
Malicious code in pubnub-moderation-tool (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (750918c1551873c10f69bc746538652a6adf047d6c76231a40832fff30b74938)

package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install. The script collects os.hostname(), os.userInfo(), home directory, DNS server list, package metadata, and the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com — a Burp Collaborator subdomain used as an out-of-band exfiltration sink. The package contains no functionality matching its declared name; metadata fields (author, description) are empty and the package name impersonates PubNub branding, consistent with dependency-confusion / typosquat bait. Installing this package leaks installer host identity and local system files to an attacker on every install.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T19:56:38Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:44.955474884Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-004003",
            "sha256": "750918c1551873c10f69bc746538652a6adf047d6c76231a40832fff30b74938"
        },
        {
            "modified_time": "2026-05-21T19:56:39Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:45.046129328Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-004004",
            "sha256": "86b6d7737de22762f813d12544a153142fab66e679a9c1055a83e6f0540c5fec"
        }
    ]
}
References
Credits

Affected packages

npm / pubnub-moderation-tool

Package

Name
pubnub-moderation-tool
View open source insights on deps.dev
Purl
pkg:npm/pubnub-moderation-tool

Affected ranges

Affected versions

1.*
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "pubnub-moderation-tool-1.0.3.tgz",
            "hashes": {
                "sha1": "8d03cf03ee6cb14f32fbfe68bb0729bc17b66a03",
                "sha512_sri": "sha512-hFRre7iOPqtRNuAJId77xDr5Zwu1N9YsFDL38mzsIJQJB8PtgMFdJgUjH7ouCHAkF+hYx2aoLKyopn0BnX+TEA=="
            }
        }
    ],
    "domains": [
        "vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com"
    ],
    "evidence_files": [
        {
            "tlsh": "9e412399a2d917330de210c06a0c70c52359fa777259e99076cf42d69f869f8b7326f3",
            "path": "index.js",
            "sha256": "440f77dc7b7d7a87a616118717a86de251f1c6a4c49fb6aba7ed74e5bc535a26"
        },
        {
            "tlsh": "ebd05e688d626933a5c10666482a945772728e6f14047c08678b982c91ce67798fb34d",
            "path": "package.json",
            "sha256": "2710c66ea7cc9f902726ef393fd4db9d523421ae729b9e919270e4ac1d306a28"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pubnub-moderation-tool/MAL-2026-4650.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]