Note: This report is updated by a verification record
Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.
-= Per source details. Do not edit below this line.=-
On install, the package's postinstall hook (node canary.js postinstall per package.json) issues an unconditional HTTP GET to bare IP 157.230.17.236:80 at path /dc with query params containing the package name, version, a nonce, and the lifecycle phase. No environment variables, filesystem contents, or credentials are read or transmitted; the payload is limited to package metadata. The README describes this as an authorized dependency-confusion canary against the @demica scope. The fact-of-install ping is otherwise benign, but it performs unconsented outbound network at install time, the destination is a bare IP over cleartext HTTP with no authentication or pinning, and the same postinstall hook is a position from which a future republish could deliver arbitrary payloads. Routing to human review so the @demica organization can confirm the canary is theirs and that the destination IP is operator-controlled.
{
"malicious-packages-origins": [
{
"sha256": "dfc020ab633bac129072df0d74deea8e0a2e118b43dbebf01ba9bbf2b13b6e76",
"id": "IN-MAL-2026-005010",
"import_time": "2026-06-09T17:45:48.736420074Z",
"modified_time": "2026-06-09T17:17:04Z",
"versions": [
"99.99.100"
],
"source": "amazon-inspector"
},
{
"versions": [
"99.99.99"
],
"id": "IN-MAL-2026-008112",
"modified_time": "2026-07-08T16:26:35Z",
"sha256": "becb5aca9f28fbd99a4f45ed70489960879ba81cfbd2071648c98cf5e867d8f9",
"import_time": "2026-07-08T17:01:31.442519658Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "a0011edb48b1e27223f608caa0630e67f212d291326bacf07c8809411f8e88c4276994",
"sha256": "f0e043a9aa214fb0e7b51f2db91b34110f86ec47d1b9f986817ecfab32db66a2",
"path": "canary.js"
},
{
"tlsh": "b0e055209a100d3721d815d90c6e406391630c2b0a043d2873af405c575e3b726ff22e",
"sha256": "916dd2a16d4bcb559c5da020f7768ca235bc374942a61ffdd6c9b2758c4264c2",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "shared-99.99.100.tgz",
"hashes": {
"sha512_sri": "sha512-pHwqm1rzcY74zztUBYZUW8fBzIPAI4pqH621RewuSQ78aZ2jpu6FEtOjydE1LxQcKVfhyapcAm3daqpQqR0F5A==",
"sha1": "d65f625818583c60e1a94e298d6e8c2b64ac2783"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@demica/shared/MAL-2026-5351.json"