MAL-2026-5150

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@aonunited/angular/MAL-2026-5150.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5150
Aliases
  • GHSA-xm5f-7c4r-7wgx
Published
2026-06-02T03:40:41Z
Modified
2026-07-14T06:19:10.872180720Z
Summary
Malicious code in @aonunited/angular (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (63dac830216ae445ebe7c5f45534e479d73a23a098ea9fc5740eeded5ebab4c9)

On npm install, the package's preinstall script (preinstall.js) collects the installer's hostname, OS username, current working directory, and a timestamp, then sends them to two attacker-style out-of-band endpoints: a DNS lookup of a subdomain under oast.fun (an Interactsh-style callback service) constructed from the installer's identifiers, and an HTTPS POST of a JSON payload to a webhook.site URL. The package itself provides no functionality — it is a high-version (99.0.1) namespace-confusion lure against an internal @aonunited/angular package, designed so that any environment whose resolver picks the public registry copy will auto-execute the beacon. Although the metadata describes this as authorized HackerOne VDP research, the package is published to the public npm registry, so any developer or build system that installs or mistypes it leaks host fingerprints to third-party infrastructure without consent.

Source: ghsa-malware (edcefa4f7ecdb8b1bf87735af2b0de89a74794dda4d8fbac66b99eaa7914d861)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Source: ossf-package-analysis (411e19a999b3354e6b5ad40e6da82882c1bf314a35d722ade7b3e23eb9c4a46c)

The OpenSSF Package Analysis project identified '@aonunited/angular' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "411e19a999b3354e6b5ad40e6da82882c1bf314a35d722ade7b3e23eb9c4a46c",
            "import_time": "2026-06-02T03:48:09.61593257Z",
            "modified_time": "2026-06-02T03:40:41Z",
            "source": "ossf-package-analysis",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "modified_time": "2026-06-09T17:43:05Z",
            "sha256": "63dac830216ae445ebe7c5f45534e479d73a23a098ea9fc5740eeded5ebab4c9",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-06-09T17:45:54.832974932Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005103"
        },
        {
            "modified_time": "2026-06-09T17:43:06Z",
            "sha256": "99c3d41b561dd83a12c6cfe9ea516a785019ca83f967e8082dd1d0846fd87aaf",
            "versions": [
                "99.0.1"
            ],
            "import_time": "2026-06-09T17:45:54.883605173Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005104"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "sha256": "876080f93d0095e9fa2ea21979aa3c193f06f2dbbc5214aa9bcc8451865f3100",
            "import_time": "2026-06-09T18:50:21.413767468Z",
            "modified_time": "2026-06-09T18:02:27Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005163"
        },
        {
            "source": "amazon-inspector",
            "sha256": "ef384053c91cc48a45d530e3a54f9b627a2e52c159c0866aaacb018f92090783",
            "import_time": "2026-06-09T18:50:21.322401934Z",
            "modified_time": "2026-06-09T18:02:27Z",
            "id": "IN-MAL-2026-005162",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "source": "ghsa-malware",
            "sha256": "edcefa4f7ecdb8b1bf87735af2b0de89a74794dda4d8fbac66b99eaa7914d861",
            "import_time": "2026-07-14T05:59:59.700915078Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "GHSA-xm5f-7c4r-7wgx",
            "modified_time": "2026-07-14T05:29:10Z"
        }
    ]
}
References
Credits

Affected packages

npm / @aonunited/angular

Package

Name
@aonunited/angular
View open source insights on deps.dev
Purl
pkg:npm/%40aonunited/angular

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.0.0
99.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "angular-99.0.1.tgz",
            "hashes": {
                "sha1": "e7c05df355fb30889597325357f918db5118e618",
                "sha512_sri": "sha512-xM1DD1nrx0MQUMy2Sr/8mvzQfx+nWZoHC09lHw9BOY69yU50YhTnGKUBWfpDvhjBcRojKBx/Fps+48H6RihlOw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "512163fa67a2f1b41db4bdc4a095e9181467d30671e0c6c0fa8c029c4aef4f405e2e58",
            "sha256": "d89bee9e19a0e0f13b6abde3e1a89cd3bb04d4a864551eb362f29b79f0051247",
            "path": "preinstall.js"
        },
        {
            "tlsh": "c6f0c07968b050332ce542ce04b2410a7b6ddd6ea351ad1e67c7044c934ebb6433766d",
            "sha256": "451b9103124ca86963a6a766bd5840fd24094b2fd9d54aec6b9ff9c0ad584ed9",
            "path": "package.json"
        }
    ],
    "domains": [
        "webhook.site",
        "aonunited-angular.scan.scan-2c31bb99697c.d8f498hai91idrq6d800yt6eptci8myz6.oast.fun"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@aonunited/angular/MAL-2026-5150.json"