MAL-2026-4655
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qr-code-styling-temp/MAL-2026-4655.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4655
- Published
- 2026-05-19T18:45:27Z
- Modified
- 2026-05-26T06:02:51.402832942Z
- Summary
- Malicious code in qr-code-styling-temp (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (004a5cc51cc0e38448c56189fb4437ad113eec163f7ae1a7692b88d6aed71182)
The package's
installlifecycle script (node index.js) and its main entry both loadlib/core.js, which readsos.userInfo().username,os.hostname(), and the current working directory basename and encodes them into a subdomain ofoob.sl4x0.xyz, then triggers adns.resolve4lookup ofsamsung.<user>.<host>.<cwd>.<ts>.oob.sl4x0.xyz. This is an out-of-band DNS exfiltration beacon that fires on everynpm installand on everyrequire()of the package, leaking installer identity to an attacker-controlled domain. Module names (os,dns,process,userInfo,hostname,resolve4) and the C2 domain are hidden asString.fromCharCodecharcode arrays in lib/b02e30.js and lib/6ad264.js, withosanddnsloaded viamodule.constructor._load(...)to evade staticrequirescanners. The package name impersonates the popularqr-code-stylinglibrary but ships an unrelated API surface, and the author emailresearch@sl4x0.xyzshares the same domain as the exfiltration host — confirming the typosquat lure and attacker-controlled infrastructure. - Database specific
{ "malicious-packages-origins": [ { "sha256": "004a5cc51cc0e38448c56189fb4437ad113eec163f7ae1a7692b88d6aed71182", "id": "IN-MAL-2026-003240", "source": "amazon-inspector", "modified_time": "2026-05-19T18:45:27Z", "versions": [ "9.9.10" ], "import_time": "2026-05-26T05:50:16.384829394Z" }, { "sha256": "20b1cb1f8211a6eb0d5b0ec3bb8cf8819cdd1c661c806e838d62f8c157e0e37f", "id": "IN-MAL-2026-003248", "source": "amazon-inspector", "modified_time": "2026-05-19T18:58:10Z", "versions": [ "9.9.11" ], "import_time": "2026-05-26T05:50:17.416947799Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / qr-code-styling-temp
Package
- Name
- qr-code-styling-temp
- View open source insights on deps.dev
- Purl
- pkg:npm/qr-code-styling-temp
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qr-code-styling-temp/MAL-2026-4655.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"tlsh": "d0f02d69b393c48f97e096d0360a53d18559c3c0e7cf8195fb7c4a87904e7d1ca85a55",
"sha256": "d24415d02b2768deed6613ba41e3837825889459718a582d352a0805d40a321c",
"path": "lib/core.js"
},
{
"sha256": "1a2311c854ee8851bcbb6c5ec8cad943891f72e184b21bd9716581be36295af0",
"tlsh": "56e068073303c94fa1c80bfb7d0050e0aa0d8b58a21dc0d6b528678500af447c0c0632",
"path": "lib/b02e30.js"
},
{
"sha256": "a30d0c5d786712e9c52406ca2a4e8671031aa6e93ee0b4512776bbe3c6cab583",
"tlsh": "16218b22ce214c233ad969a0ad6d3941b4a70c974e547c0977c2522d8fdf26f12bf61d",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "qr-code-styling-temp-9.9.10.tgz",
"hashes": {
"sha1": "07bf549e8950e4005997e20e77f7376de489af54",
"sha512_sri": "sha512-veeCwOt/VuCzgo8x3TW2v2ZKMlOok62RbOn70hYbJJrmZjtI5EkJIYw9VNcOgY9qqStWgNhMNTWzZ6VMAwSXhg=="
}
}
]
}