MAL-2026-5393

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sflyinc-knapsack/shutterfly-react/MAL-2026-5393.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5393

Published

2026-06-09T16:06:18Z

Modified

2026-06-09T17:16:30.006604350Z

Summary

Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d)

On require/load, index.js collects host identifiers (os.hostname(), os.userInfo(), os.homedir()), DNS server configuration, package.json metadata, and __dirname, then HTTPS-POSTs them to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com — a Burp Collaborator (OAST) subdomain. The package is published at version 999.0.0 under a scope mimicking an internal Shutterfly namespace, designed to win npm version resolution against the legitimate private package. Any installer who imports this package leaks host and internal-package metadata to an attacker-controlled endpoint. The package's own description self-identifies as a dependency-confusion proof-of-concept, but the live registry artifact still executes against any consumer that resolves it.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:06:19Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "8d25695a7eded18f548d50ed71fd21fb7eed6b20300c158dd0345659df729cc1",
            "id": "IN-MAL-2026-004964",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.789424185Z"
        },
        {
            "modified_time": "2026-06-09T16:06:18Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d",
            "id": "IN-MAL-2026-004963",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.727246563Z"
        }
    ]
}

References

https://www.npmjs.com/package/@sflyinc-knapsack/shutterfly-react/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @sflyinc-knapsack/shutterfly-react

Package

Name: @sflyinc-knapsack/shutterfly-react; View open source insights on deps.dev
Purl: pkg:npm/%40sflyinc-knapsack%2Fshutterfly-react

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "domains": [
        "nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "2d35a30029f166d5354591cea3a714bc43ce66b8ee66738b2ac593b8b8a05b0c",
            "tlsh": "a1118ce4c5e123600dba45947499e00822aae737750e6cd8f58d03d04fcaabd60b39f2",
            "path": "index.js"
        },
        {
            "sha256": "1699a1bc2d8fa5edb4f5dba0810e8cf0514439d4ff892e46d653f9aa134b700b",
            "tlsh": "dfe026b8c24054630de6c9e915726216681ecc372400fa69af4a125c92defb7da76768",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "shutterfly-react-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-FBskLH9SvuumJ8mzT8hgHuUiSaK7XNrHj8RxNFQCKtELW0c48I8yUvJONL0HP5nWaMQzbLKrMBJyNs7qjTuIAg==",
                "sha1": "eafd12bebd0a167dc70228a97ebf225b4dac982b"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sflyinc-knapsack/shutterfly-react/MAL-2026-5393.json"