MAL-2026-5366

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0one-dnslog/MAL-2026-5366.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5366
Published
2026-06-08T02:31:13Z
Modified
2026-06-11T00:16:29.234924571Z
Summary
Malicious code in zer0one-dnslog (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605)

The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on npm install, runs a curl pipeline against cloud instance-metadata services to harvest temporary IAM credentials and internal SSRF data, then POSTs the collected output to an attacker-controlled out-of-band host. Specifically, postinstall.js issues curls to AWS metadata at 169.254.169.254 (IAM security-credentials path), Aliyun at 100.100.100.200, Tencent at metadata.tencentyun.com / 169.254.0.23, and Meituan-internal mtsrc-test.sankuai.com, writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/tx.txt, /tmp/tx2.txt, and uploads them via curl -X POST to https://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata along with a listing of /data/. package.json declares "postinstall": "node postinstall.js", so the harvest fires automatically on default install. On any cloud build host or CI runner this leaks role credentials with full AWS/Aliyun/Tencent access. The advertised purpose mismatches the shipped behavior (index.js is a one-line hello stub), confirming the package is a lure for credential theft, not a date utility.

Source: ossf-package-analysis (61ff41f8e8f8f87ab7d1d60d8bed288957cbfa3352dfc6478b12f628c93c51c9)

The OpenSSF Package Analysis project identified 'zer0one-dnslog' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "61ff41f8e8f8f87ab7d1d60d8bed288957cbfa3352dfc6478b12f628c93c51c9",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-08T02:31:13Z",
            "import_time": "2026-06-09T12:03:47.411415779Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "c2cc8de5d9d6de7b0ab31f591bd6418cc0d482117f5f952df04deaba89672134",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:56:17Z",
            "import_time": "2026-06-11T00:00:59.840527467Z",
            "id": "IN-MAL-2026-005335"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "e9add80ac470cd19bebab26fe48f5a57944ceb11e4f5f5580c45b1b1055da86a",
            "modified_time": "2026-06-10T23:56:22Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:59.934183599Z",
            "id": "IN-MAL-2026-005336"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "sha256": "14c7974b91fefdaeda12ecae9ba56b695a3175660a5b909e1fd1d690ac00b333",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:56:07Z",
            "import_time": "2026-06-11T00:00:59.642317482Z",
            "id": "IN-MAL-2026-005333"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "1737c20fc87ad17964764d878c29cd4aa0904cd89167b4a75a047dbea57ed181",
            "modified_time": "2026-06-10T23:56:38Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005340",
            "import_time": "2026-06-11T00:01:00.437728685Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "3436b4a0b68bee759a63e400555a990d224dc978a19ddcfdb9b94c2dd96d986f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:56:26Z",
            "import_time": "2026-06-11T00:01:00.016830668Z",
            "id": "IN-MAL-2026-005337"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:56:01Z",
            "import_time": "2026-06-11T00:00:59.453854283Z",
            "id": "IN-MAL-2026-005332"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "02da6de040acd0c673cf660c84536fb07f0ef7d1e4c15a0159dd27e8e0466993",
            "modified_time": "2026-06-10T23:56:32Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:01:00.117732991Z",
            "id": "IN-MAL-2026-005338"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "3714936a86eec93a75462059eb29f23ceaefec05fd66d658ddc6baf15470d8b4",
            "modified_time": "2026-06-10T23:55:31Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:59.3813364Z",
            "id": "IN-MAL-2026-005331"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "75a6ef3f1d10306e18575a6cab188fdece0b2343588dec03968b65288190c0c0",
            "modified_time": "2026-06-10T23:56:37Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:01:00.360751495Z",
            "id": "IN-MAL-2026-005339"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "929b37abcbef3fb43b3aaeec29e917240e6a69c5dbd84a64082f09df1b97dee7",
            "modified_time": "2026-06-10T23:56:12Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:59.735399565Z",
            "id": "IN-MAL-2026-005334"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "a8112adecee9cb8de528b88755300c268ec9a5cd2d2d427f951d23cbfd961abc",
            "modified_time": "2026-06-10T23:55:26Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005330",
            "import_time": "2026-06-11T00:00:59.306647963Z"
        }
    ]
}
References
Credits

Affected packages

npm / zer0one-dnslog

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "zer0one-dnslog-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-irhcP/bb+q64hXZfeIu+ni6IMrB5s3+iet0HA3pGRdM11Bx7zULoI8D/JU5Ufa/6+fR+8oFs0gZHVwdGTkCzUQ==",
                "sha1": "7ec6f9c4c525b147f5c476dbe5f9a9d0130a3982"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e343aa6479e29bc61959e5c94c9c684bfbab4e312318b403f6382b55568c7e83",
            "path": "postinstall.js",
            "tlsh": "35016d983621be367e858f79d369030eb401f95b1fc0bb8481a61cf04d49e61b069b08"
        }
    ],
    "domains": [
        "webhook.site"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0one-dnslog/MAL-2026-5366.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]