MAL-2026-5286

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/encrypted-archive/MAL-2026-5286.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5286
Published
2026-06-06T19:29:29Z
Modified
2026-06-11T00:16:30.742315285Z
Summary
Malicious code in encrypted-archive (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94)

On npm install, the package executes a preinstall hook (package.json "preinstall": "node index.js || true") that runs index.js, which performs a DNS resolution and HTTPS GET to a hardcoded interactsh/oast.me subdomain (d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me). Each install leaks the resolver IP, public egress IP, hostname-derived identifier, and install timestamp to a third-party out-of-band interaction server. The package's own metadata states it is a dependency-confusion proof-of-concept squatting an internal Ubiquiti namespace; any build system that resolves this name from the public registry instead of the intended private registry will silently run the beacon. Regardless of the author's stated research intent, the install-time network I/O to an attacker-controlled OOB host is the canonical dependency-confusion exploitation primitive and exfiltrates installer-side network/identity data.

Source: ossf-package-analysis (13428a6cdcd4736d3f044dd6a580724699318155a1c1e283b586b9a4c3ab6295)

The OpenSSF Package Analysis project identified 'encrypted-archive' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "import_time": "2026-06-06T19:34:10.14005191Z",
            "sha256": "13428a6cdcd4736d3f044dd6a580724699318155a1c1e283b586b9a4c3ab6295",
            "versions": [
                "99.0.0"
            ],
            "modified_time": "2026-06-06T19:29:29Z"
        },
        {
            "id": "IN-MAL-2026-005317",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:58.022044354Z",
            "sha256": "f291327983b20a3a12bd0b0b5e7fcbd0b81034402c97da2921cbe8fff14f7fd8",
            "versions": [
                "0.0.2-security-research"
            ],
            "modified_time": "2026-06-10T23:35:18Z"
        },
        {
            "id": "IN-MAL-2026-005316",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:57.93525986Z",
            "sha256": "c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94",
            "versions": [
                "0.0.2-security-research"
            ],
            "modified_time": "2026-06-10T23:35:17Z"
        }
    ]
}
References
Credits

Affected packages

npm / encrypted-archive

Package

Affected ranges

Affected versions

0.*
0.0.2-security-research
99.*
99.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/encrypted-archive/MAL-2026-5286.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "encrypted-archive-0.0.2-security-research.tgz",
            "hashes": {
                "sha512_sri": "sha512-NvFPVGUysChXjyH1vYUjgzb91wRo1dHUbYYVPumbB49ChLL/lro+3wSYQWkXlOvB8YvNGvc2WxEqKR6ss/5F4g==",
                "sha1": "06a0da8976094f8a6a66871c9039835fcd9ca658"
            }
        }
    ],
    "domains": [
        "encrypted-archive.d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me",
        "d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me"
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "e448b5cb0d2b6378be4ae31021ee2fa89f1613ba41b03c2291d2dc47b07ff812",
            "tlsh": "aed0c2ad2ba0da1c5fa2c5c0f4a8a81e905393483581805165890974098a37659a4dd0"
        },
        {
            "path": "package.json",
            "sha256": "b3ee52b5df201bfc206859480845be220ff8804055b4e337f6f55baed2df112c",
            "tlsh": "77e02b692c24483326f141e51831a44db124c80b5892be1cb6e3054c731de6645760ce"
        }
    ]
}