MAL-2026-5350

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@demica/resources/MAL-2026-5350.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5350

Published

2026-06-09T07:52:42Z

Modified

2026-06-09T18:01:35.187230635Z

Summary

Malicious code in @demica/resources (npm)

Details

Note: This report is updated by a verification record

Dep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf)

On npm install, the package's scripts.postinstall executes canary.js, which issues an unconditional plain-HTTP GET to the hardcoded bare IP 157.230.17.236 on port 80 at path /dc?.... The query string includes os.hostname() (truncated to 200 chars) plus the package name, version, a nonce, and a phase identifier. This fires automatically on every install with no opt-out. The package self-describes as a 'dependency-confusion canary,' but it is published on the public npm registry under the @demica/* scope: any installer that resolves @demica/resources — including via accidental dependency confusion, typo, or curiosity install — will leak their hostname to the operator of that bare IP over unencrypted HTTP. The destination is an anonymous bare IP with no associated domain, publisher, or disclosure; hostname is an installer-side host identifier transmitted off-host to an attacker-shaped endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T17:45:48.781767216Z",
            "versions": [
                "99.99.100"
            ],
            "sha256": "98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf",
            "id": "IN-MAL-2026-005011",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:17:09Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @demica/resources

Package

Name: @demica/resources; View open source insights on deps.dev
Purl: pkg:npm/%40demica%2Fresources

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

99.*

99.99.100

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "0383509dcbcb2b73adaf08369e849a006a06f130c703013f2b42b46a089fb5af",
            "tlsh": "0401f1db88f2d231a3f609ca64a34e67f122d291326bacf0b88c19511f8e98c43755d4",
            "path": "canary.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-usZC4m0eLfBF338dOj+4GEhW8LQsktvuJjg2GysxcwscAQ1n9w3IwIkK1NkU/XbXDcJPwW9MjogsxCUnvttQFg==",
                "sha1": "e3020603b20e1a28a9fa0a94f0a44d543be787e9"
            },
            "filename": "resources-99.99.100.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@demica/resources/MAL-2026-5350.json"