MAL-2026-5399

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/kraken-ui/MAL-2026-5399.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5399

Published

2026-06-09T16:06:25Z

Modified

2026-06-09T17:16:27.461375134Z

Summary

Malicious code in kraken-ui (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (168f5bafda658807ea431a8cb06a1e3006d639d17b7f0c97d3d63e34f49129d5)

On require/load, index.js imports os, dns, https, querystring, and the local package.json, then collects os.hostname(), os.userInfo().username, os.homedir(), __dirname (install path), dns.getServers(), and the full package.json contents, and HTTPS POSTs the JSON payload to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com (a Burp Collaborator OAST subdomain). The version 999.0.0 plus self-described 'dependency confusion proof of concept' is the canonical dependency-confusion attack shape: it is published to the public registry to override an internal package of the same name. Any installer or build system whose resolver picks up this version leaks identifying host/user info and internal DNS topology to an attacker-controlled out-of-band server. Behavior fires automatically when the module's main entry is loaded.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T16:59:44.841844855Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "168f5bafda658807ea431a8cb06a1e3006d639d17b7f0c97d3d63e34f49129d5",
            "id": "IN-MAL-2026-004965",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:06:25Z"
        },
        {
            "import_time": "2026-06-09T16:59:44.908531886Z",
            "versions": [
                "999.0.0"
            ],
            "sha256": "88479e71edbc32519f47f7b8dc147285016c90e64650c763a784fee83f022c95",
            "id": "IN-MAL-2026-004966",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T16:06:25Z"
        }
    ]
}

References

https://www.npmjs.com/package/kraken-ui/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / kraken-ui

Package

Name: kraken-ui; View open source insights on deps.dev
Purl: pkg:npm/kraken-ui

Affected ranges

Affected versions

999.*

999.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "2d35a30029f166d5354591cea3a714bc43ce66b8ee66738b2ac593b8b8a05b0c",
            "tlsh": "a1118ce4c5e123600dba45947499e00822aae737750e6cd8f58d03d04fcaabd60b39f2",
            "path": "index.js"
        }
    ],
    "domains": [
        "nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-/lM8px+RzIoR4iNMZNSBBrU7Ib9LQQufcmkGY0KyKLAhrlygelQ3VuBTKRgOOSrrvN59hVy3Q9UCcU7d1M7FJA==",
                "sha1": "7a71324e82769855b878a08f6c33e1b4d99f1a65"
            },
            "filename": "kraken-ui-999.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/kraken-ui/MAL-2026-5399.json"