MAL-2026-5287

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uhd-setup/MAL-2026-5287.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5287
Published
2026-06-06T19:02:40Z
Modified
2026-06-09T21:01:37.174433540Z
Summary
Malicious code in uhd-setup (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99)

package.json declares scripts.preinstall: node index.js. On npm install, index.js (lines 4-5) performs dns.resolve and https.get against <id>.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online, an Interactsh OAST collector. The request fires unconditionally with no opt-out, leaking the installer's egress IP, internal DNS resolver identity, and fact-of-install (with the package id encoded in the subdomain and URL path) to a third-party-controlled endpoint. The README frames this as authorized dependency-confusion research targeting Ubiquiti, but the beacon does not gate on any organizational identifier — any installer that pulls this name (typo, internal-name collision, automated mirror) sends build-system metadata to the researcher. Trigger is the preinstall lifecycle hook, so the network call fires before any code review opportunity.

Source: ossf-package-analysis (358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da)

The OpenSSF Package Analysis project identified 'uhd-setup' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.0.0"
            ],
            "sha256": "358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da",
            "modified_time": "2026-06-06T19:02:40Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-06T19:34:10.035644618Z"
        },
        {
            "versions": [
                "0.0.1-security-research"
            ],
            "sha256": "7cf641e43172371f2f9c843ad0b68bad139485231e30e9ef8072197977d9f2d5",
            "modified_time": "2026-06-09T20:44:09Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005244",
            "import_time": "2026-06-09T20:45:59.815869001Z"
        },
        {
            "versions": [
                "0.0.1-security-research"
            ],
            "sha256": "8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99",
            "modified_time": "2026-06-09T20:44:08Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:59.636747398Z",
            "id": "IN-MAL-2026-005243"
        }
    ]
}
References
Credits

Affected packages

npm / uhd-setup

Package

Affected ranges

Affected versions

0.*
0.0.1-security-research
99.*
99.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "uhd-setup-0.0.1-security-research.tgz",
            "hashes": {
                "sha512_sri": "sha512-lABJRYBYdkO2B7/Rz9B/BGbBCMTcCbWkCQbs1Ma9nT8yiOWSk9EZWllD86u7jBpcxROo1ClkuUIezLDRFgtvIg==",
                "sha1": "de2cb00c9af2ba56f4a5ce21f9c7d2e6d83cbd44"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "360abfce2267dda034c4ab35ec47909a7b4e1a299ca7a14d6112537a352e11ea",
            "path": "index.js",
            "tlsh": "21d0c2f923e1f27809a1a8d4d285f92e8403d00033ac9054d02846b49c83b79a8f08d0"
        }
    ],
    "domains": [
        "d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online",
        "uhd-setup.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uhd-setup/MAL-2026-5287.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]