MAL-2026-5166
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sourceflow-tracker/MAL-2026-5166.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5166
- Published
- 2026-06-02T11:40:44Z
- Modified
- 2026-06-09T18:01:36.960310276Z
- Summary
- Malicious code in sourceflow-tracker (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (0c32024f2d571ac850d0e9a7240951137c14d1f1529ab3e0f782ff677a5625ea)
package.json declares a dependency
ltidisaferesolved directly from a raw tarball URL on a generic Google Cloud Storage bucket (https://storage.googleapis.com/lscunpentest/pack_ux_foundry.tgz). The tarball is unversioned, carries no integrity hash, and is hosted on infrastructure unrelated to any documented publisher; the bucket owner can replace its bytes at any time without changing the URL. Onnpm install, npm fetches and installs this tarball transitively and runs any lifecycle scripts it ships. The visible package itself is a stub:index.jsonly containsconsole.log("hello from lslslslslss"), package metadata is placeholder gibberish (descriptionlspodcc, authorlslsls), and the version is set to99.91.9— a pattern consistent with dependency-confusion attempts to outrank a legitimate internal package of the same name. The package's only practical effect when installed is to drop attacker-mutable code into the consumer's install graph.Source: ossf-package-analysis (1699207dcb748d9894d27585d5e49f48e906eae167d75434c15cd15f1aeb5502)
The OpenSSF Package Analysis project identified 'sourceflow-tracker' @ 99.91.9 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "99.91.9" ], "modified_time": "2026-06-02T11:40:44Z", "sha256": "1699207dcb748d9894d27585d5e49f48e906eae167d75434c15cd15f1aeb5502", "source": "ossf-package-analysis", "import_time": "2026-06-02T13:24:05.818669411Z" }, { "versions": [ "99.91.9" ], "modified_time": "2026-06-09T17:18:28Z", "sha256": "0c32024f2d571ac850d0e9a7240951137c14d1f1529ab3e0f782ff677a5625ea", "id": "IN-MAL-2026-005013", "source": "amazon-inspector", "import_time": "2026-06-09T17:45:48.968234291Z" }, { "versions": [ "99.91.9" ], "modified_time": "2026-06-09T17:18:28Z", "sha256": "4590a6ebf9922235f803ec6400b9b804d3f1ea2704c8a2041855fcfd552f1737", "id": "IN-MAL-2026-005014", "source": "amazon-inspector", "import_time": "2026-06-09T17:45:49.039701764Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / sourceflow-tracker
Package
- Name
- sourceflow-tracker
- View open source insights on deps.dev
- Purl
- pkg:npm/sourceflow-tracker
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"domains": [
"storage.googleapis.com",
"10.200.32.2.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com",
"7363616e2d376430343765366163633131.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com",
"2f686f6d652f7363616e.ux-foundry.wwwz15e554m201wwajfl7m1ey54z1nq.oastify.com"
],
"package_integrity": [
{
"filename": "sourceflow-tracker-99.91.9.tgz",
"hashes": {
"sha512_sri": "sha512-SBJVcj5220JoOPMUcMtWjyTwtqU24BMHqTxulT0xNxlZymoEiLUwo8AZOW3eClTGzt1FMR4X2ugD44kIiiAwsg==",
"sha1": "67fdd3864978081fc1912065aad3054bdb73f42f"
}
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "82e02628595255334bc542e64c257427e7a48f0e100c7c0807db212c09ceab37cfe35c",
"sha256": "142e4819e1d23c99f8c4c660fc34debf5d95ada45c1a6a9b146b3e392bd31d14"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sourceflow-tracker/MAL-2026-5166.json"