-= Per source details. Do not edit below this line.=-
package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install. The script collects os.hostname(), os.userInfo(), home directory, DNS server list, package metadata, and the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com — a Burp Collaborator subdomain used as an out-of-band exfiltration sink. The package contains no functionality matching its declared name; metadata fields (author, description) are empty and the package name impersonates PubNub branding, consistent with dependency-confusion / typosquat bait. Installing this package leaks installer host identity and local system files to an attacker on every install.
{
"malicious-packages-origins": [
{
"modified_time": "2026-05-21T19:56:38Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:51:44.955474884Z",
"versions": [
"1.0.3"
],
"id": "IN-MAL-2026-004003",
"sha256": "750918c1551873c10f69bc746538652a6adf047d6c76231a40832fff30b74938"
},
{
"modified_time": "2026-05-21T19:56:39Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:51:45.046129328Z",
"versions": [
"1.0.3"
],
"id": "IN-MAL-2026-004004",
"sha256": "86b6d7737de22762f813d12544a153142fab66e679a9c1055a83e6f0540c5fec"
}
]
}{
"package_integrity": [
{
"filename": "pubnub-moderation-tool-1.0.3.tgz",
"hashes": {
"sha1": "8d03cf03ee6cb14f32fbfe68bb0729bc17b66a03",
"sha512_sri": "sha512-hFRre7iOPqtRNuAJId77xDr5Zwu1N9YsFDL38mzsIJQJB8PtgMFdJgUjH7ouCHAkF+hYx2aoLKyopn0BnX+TEA=="
}
}
],
"domains": [
"vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com"
],
"evidence_files": [
{
"tlsh": "9e412399a2d917330de210c06a0c70c52359fa777259e99076cf42d69f869f8b7326f3",
"path": "index.js",
"sha256": "440f77dc7b7d7a87a616118717a86de251f1c6a4c49fb6aba7ed74e5bc535a26"
},
{
"tlsh": "ebd05e688d626933a5c10666482a945772728e6f14047c08678b982c91ce67798fb34d",
"path": "package.json",
"sha256": "2710c66ea7cc9f902726ef393fd4db9d523421ae729b9e919270e4ac1d306a28"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pubnub-moderation-tool/MAL-2026-4650.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]