MAL-2026-4737

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/your-unique-package-name1/MAL-2026-4737.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4737

Published

2026-05-25T02:44:28Z

Modified

2026-05-26T06:03:07.465469583Z

Summary

Malicious code in your-unique-package-name1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34)

On import in a browser context, index.js creates a hidden iframe pointing at https://www.pendo.io/?builder.frameEditing=true and postMessages a 'builder.patchUpdates' payload to 20 hardcoded builder-<uuid> resources, replacing their '/bindings/show' binding with an injected script. The injected script calls fetch('https://novus-api.pendo.io/pendo/app', {credentials:'include'}), base64-encodes the authenticated response, and beacons it in 2000-byte chunks to https://webhook.site/ea1a1f2d-46e2-463a-a1c1-48c53846dff4 via new Image().src. Any application that bundles this package will silently exfiltrate its end users' authenticated Pendo session data to an anonymous attacker-controlled webhook. The package self-describes as 'Security research PoC' but the destination is not a researcher-owned domain and the targeting (hardcoded victim UUIDs, credentials-included fetch) is consistent with a live attack rather than a contained PoC.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:52:51.563611848Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "sha256": "8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34",
            "modified_time": "2026-05-25T02:44:28Z",
            "id": "IN-MAL-2026-004569"
        }
    ]
}

References

https://www.npmjs.com/package/your-unique-package-name1/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / your-unique-package-name1

Package

Name: your-unique-package-name1; View open source insights on deps.dev
Purl: pkg:npm/your-unique-package-name1

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "tlsh": "dc411fbb2330049416b3616669379f1bf4b32b3b94e18992f8bacb64d5a3a801471b4d",
            "sha256": "5c332aea70085f86d39ea772daacebddd49e4cafd182b3713582ddc0d361198d",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-HUHnRypedL351NSuz0qg6hvWwtjdWV7wgwpXP23/Wgef2MkZt2FoRw5v/xlSMIDkfiG70Y0a7rjMyCopZKZNrA==",
                "sha1": "bcc7580ab94e7570290df4e578614426b6ccbaa1"
            },
            "filename": "your-unique-package-name1-1.0.0.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/your-unique-package-name1/MAL-2026-4737.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]