MAL-2026-4664

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/search-connector-template/MAL-2026-4664.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4664

Published

2026-05-21T21:00:37Z

Modified

2026-05-26T06:02:53.188530189Z

Summary

Malicious code in search-connector-template (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects host identity (hostname, username, homedir, DNS servers) and reads installer-owned system files (/etc/passwd, /etc/hosts), then POSTs the JSON payload over HTTPS to a Burp Collaborator OAST subdomain (615arnt4a5f6ii011q8kggqfk6q1er2g.oastify.com). This is a classic install-time exfiltration beacon: the destination is attacker-controlled, the data leaving the host belongs to the installer rather than the package author, and execution requires no user action beyond running npm install.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004028",
            "import_time": "2026-05-26T05:51:48.001077959Z",
            "sha256": "24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T21:00:37Z",
            "versions": [
                "1.1.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004029",
            "import_time": "2026-05-26T05:51:48.125046094Z",
            "sha256": "a3b0d5dda5e0170aec1d5dca46e941693ed27c658a8248cc91ad3f44c73b4fec",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T21:00:37Z",
            "versions": [
                "1.1.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/search-connector-template/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / search-connector-template

Package

Name: search-connector-template; View open source insights on deps.dev
Purl: pkg:npm/search-connector-template

Affected ranges

Affected versions

1.*

1.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/search-connector-template/MAL-2026-4664.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "3d83c4041eacd79f92abcd9a38423649f87bd2a9511a0b0d4c4576adde940b48",
            "tlsh": "48411199a2d917330dd214c06a0c70843359fab77159e89076cf42d6af869f8b7326f3"
        }
    ],
    "package_integrity": [
        {
            "filename": "search-connector-template-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-AIp0nWctK7zuIlYivThStvi7v7GxvNdKyM/3cUHpWC9op3PDyuzA3XGko6y+Y8WkmuLKa9309Yb/C5o4Xi+lfQ==",
                "sha1": "d87841c1529f2b36a78e815b78b7a2a95f2a93d2"
            }
        }
    ],
    "domains": [
        "615arnt4a5f6ii011q8kggqfk6q1er2g.oastify.com"
    ]
}