MAL-2026-4822

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadtest-browser-lib/MAL-2026-4822.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4822

Published

2026-05-26T15:27:31Z

Modified

2026-05-26T17:01:45.780264429Z

Summary

Malicious code in loadtest-browser-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e)

On npm install, the package's preinstall hook executes index.js, which collects host identifiers (hostname, username, platform, arch, cwd, pid, timestamp) and sends them as query parameters in an HTTPS request to fxpkkxatijbbyxuhdclqig6334q9m1j8w.oast.fun, an out-of-band callback host. package.json declares "preinstall": "node index.js", so the beacon fires automatically on default install with no user interaction. The package self-describes as 'hijacking by yusif', consistent with a dependency-confusion / namespace-hijack proof-of-concept payload. Any installer running npm install leaks identifying machine information to the attacker's collaborator endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T15:27:31Z",
            "import_time": "2026-05-26T16:47:31.765363146Z",
            "versions": [
                "1.31.3"
            ],
            "id": "IN-MAL-2026-004929"
        },
        {
            "sha256": "c81e2ecc8a6dfe7a5b7e5f2d1fd48690a5f1dff0dab6357f33eb2869c4db3c16",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T15:34:15Z",
            "import_time": "2026-05-26T16:47:31.890863163Z",
            "versions": [
                "1.31.3"
            ],
            "id": "IN-MAL-2026-004932"
        }
    ]
}

References

https://www.npmjs.com/package/loadtest-browser-lib/v/1.31.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / loadtest-browser-lib

Package

Name: loadtest-browser-lib; View open source insights on deps.dev
Purl: pkg:npm/loadtest-browser-lib

Affected ranges

Affected versions

1.*

1.31.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadtest-browser-lib/MAL-2026-4822.json"

indicators

{
    "domains": [
        "fxpkkxatijbbyxuhdclqig6334q9m1j8w.oast.fun"
    ],
    "package_integrity": [
        {
            "filename": "loadtest-browser-lib-1.31.3.tgz",
            "hashes": {
                "sha1": "9abbdcfbfb004854a95dcc974a6e487c5c11f298",
                "sha512_sri": "sha512-WtTPIxEi+V/9fmrWlQMzKj4GuyF6n0PH95tU0ysuwCu3UdbZfpyOcBkdexQ+G9K6AxNr5FWEOZ7yfAWRcaeCDg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "6111e3f559f28a641dbb31c455866905a09ad1137d0df8fc7e5d43e00f8547a45a0ab4",
            "sha256": "f3a0f65846fb606655b12a8d7ce292057b06ad32b7193fbb3a1cd243c3e3f6fe"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]