MAL-2026-4860

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@qlab/ui/MAL-2026-4860.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4860
Published
2026-05-28T19:35:41Z
Modified
2026-06-11T13:46:34.406120547Z
Summary
Malicious code in @qlab/ui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1b7872b498f71081087798b86ec67dd7fc33ab268d9b36de04b7d5d2b2698205)

package.json declares scripts.preinstall: node index.js, causing index.js to run automatically during npm install. index.js collects os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), the current working directory, and the contents of package.json, then POSTs the payload over HTTPS to https://eo1e4fhn1i67p8r.m.pipedream.net. The same beacon is duplicated in ai/index.js, which is exposed through the package's exports map as ./ai, so require('@qlab/ui/ai') re-fires the POST at import time. The combination of preinstall lifecycle execution, an attacker-controlled webhook endpoint, and harvesting of installer host/user/DNS/package metadata is a dependency-confusion reconnaissance beacon targeting the @qlab scope. Installers are the direct victims: simply running npm install ships their machine identity to the attacker.

Source: ossf-package-analysis (6202e241f53fd8e0b248f81b951077a67feef0f070b93c57b148d120cc70e69b)

The OpenSSF Package Analysis project identified '@qlab/ui' @ 2.0.6 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-28T19:35:41Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-28T20:18:24.608774983Z",
            "versions": [
                "2.0.6"
            ],
            "sha256": "6202e241f53fd8e0b248f81b951077a67feef0f070b93c57b148d120cc70e69b"
        },
        {
            "modified_time": "2026-06-11T12:56:31Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T13:27:20.506390319Z",
            "id": "IN-MAL-2026-005729",
            "versions": [
                "2.0.6"
            ],
            "sha256": "5a45152f64a2ace337189e6bb3ec837b200b092f3afce5edf20a968518f7abef"
        },
        {
            "modified_time": "2026-06-11T12:56:31Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T13:27:20.458677901Z",
            "versions": [
                "2.0.6"
            ],
            "id": "IN-MAL-2026-005728",
            "sha256": "1b7872b498f71081087798b86ec67dd7fc33ab268d9b36de04b7d5d2b2698205"
        }
    ]
}
References
Credits

Affected packages

npm / @qlab/ui

Package

Name
@qlab/ui
View open source insights on deps.dev
Purl
pkg:npm/%40qlab%2Fui

Affected ranges

Affected versions

2.*
2.0.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ui-2.0.6.tgz",
            "hashes": {
                "sha1": "fa982a4f89f5728a4f4cddebbd579bcce976a3d3",
                "sha512_sri": "sha512-kHAlh8CAeC45vnj4/iFx9sPynRZcaxX7C/SOus+/E8k1rUEkuZv1xKq+JgyFtTHTmm0+ObdQ1d10W4EqpvVOag=="
            }
        }
    ],
    "domains": [
        "eo1e4fhn1i67p8r.m.pipedream.net"
    ],
    "evidence_files": [
        {
            "sha256": "a7e18272aee814e3f4f821b4b911ff6586a8ee7170087ebdb52d99f61d0e789a",
            "path": "index.js",
            "tlsh": "8811afd885e123600d7645c47899d00916aad737790e6ddcf5cc06d04f89abd60b3af5"
        },
        {
            "tlsh": "c511afd885e123600d7645d47899900916aad737790e6ddcf5cc06d04f89abd60b3af5",
            "path": "ai/index.js",
            "sha256": "9e2d1a7590d6c1b987443fcabb878cf37f77ba485fb88c325bd89f0a614ad727"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@qlab/ui/MAL-2026-4860.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]