MAL-2026-4710

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/walmart-shared-modules/MAL-2026-4710.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4710
Published
2026-05-25T14:15:57Z
Modified
2026-05-26T06:03:04.393295604Z
Summary
Malicious code in walmart-shared-modules (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a)

Package declares preinstall: node poc.js, which on npm install collects host identity (os.hostname, whoami/id, ipconfig/ip a output), scrapes environment variables matching credential-shaped prefixes (TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, JENKINS, CI_, WALMART, WMT), reads the parent project's package.json and CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile), and HTTPS POSTs the aggregated JSON to a hardcoded interactsh OOB endpoint at d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me, plus a DNS callback with a hex-encoded hostname/username. The package is published at version 99.0.1 with a self-described 'Dependency Confusion PoC' purpose targeting Walmart's internal walmart-shared-modules namespace, intended to win npm's highest-version-wins resolution. Any installer outside Walmart's authorized testing scope still suffers full environment and CI-secret exfiltration; self-declared 'security research' framing does not neutralize the harm to unrelated installers.

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.0.1"
            ],
            "modified_time": "2026-05-25T14:15:57Z",
            "sha256": "963185e66a528f9fb7cb25980d37e538ddda90ec99330c003b3aa31a4cd516a7",
            "id": "IN-MAL-2026-004687",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:05.288171155Z"
        },
        {
            "versions": [
                "99.0.1"
            ],
            "modified_time": "2026-05-25T14:15:57Z",
            "sha256": "e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a",
            "id": "IN-MAL-2026-004686",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:05.190338731Z"
        }
    ]
}
References
Credits

Affected packages

npm / walmart-shared-modules

Package

Name
walmart-shared-modules
View open source insights on deps.dev
Purl
pkg:npm/walmart-shared-modules

Affected ranges

Affected versions

99.*
99.0.1

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/walmart-shared-modules/MAL-2026-4710.json"
indicators 
{
    "domains": [
        "walmart-shared-modules-7363616e2d39366661396566653930.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me",
        "d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"
    ],
    "package_integrity": [
        {
            "filename": "walmart-shared-modules-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-XANMC5dSfjjua3xPO0JVIlyC/8Hl4eVFgsVW5BgMza/OaPSS4PYM3r/F6bz7XvFb5j5L4rJJRYqM04JG4KqrVw==",
                "sha1": "f9e6b76e04028cd5a2aa693c78aa28c834eba87a"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "poc.js",
            "tlsh": "4571c8d482fa1e30226a74b1f5cd000522d7d3933246f9d4798c1a919f9f4b482f67bd",
            "sha256": "71fc07e0628fed895e841f0af5a76744429568513134461d78cc9bd6708ab10e"
        },
        {
            "path": "package.json",
            "tlsh": "45e07d781870143316d8c6fa25b74547a128dd0b511c6c290b57348c42afb7301bfb5d",
            "sha256": "6d83ebecd7ef09f18cbd25694484ecc5987fa68819e3f8b027ad89cbfb969c99"
        }
    ]
}