MAL-2026-5400

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/multica/MAL-2026-5400.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5400
Published
2026-06-09T16:05:05Z
Modified
2026-06-09T17:16:27.656094373Z
Summary
Malicious code in multica (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2)

Package is published at version 9999.99.99 with a description referencing an npm 404 in multica-ai/multica and a main module that recursively requires multica itself — the canonical shape of a dependency-confusion probe designed to win resolution against an internal package of the same name. On npm install, postinstall.js unconditionally POSTs a JSON payload containing the package name/version, Node version, OS platform, timestamp, detected CI vendor (selected from a list of 12 CI environment variables), and — when set — GITHUBREPOSITORY, GITHUBREPOSITORYOWNER, and GITHUBWORKFLOW to https://ddactic-lab.online/sc/beacon. A DNS fallback channel encodes a package slug, CI slug, and hash into a subdomain of b.ddactic-lab.online to bypass HTTP-blocking egress proxies. Installer harm: silent disclosure of internal package names, CI vendor, and GitHub org/repo/workflow identifiers to an attacker-controlled endpoint at install time, mapping which organizations resolve internal names to this public tarball.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:05:05Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "d7d3e4277fb571072315c7f64c269029cd53c78b3ff27ec5536d748c659fd6a2",
            "id": "IN-MAL-2026-004951",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.041464942Z"
        },
        {
            "modified_time": "2026-06-09T16:05:06Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "ece88aabcd1ebbdef6133024c757b2ce9efa038fabbce6d40ed87f9d60a3a735",
            "id": "IN-MAL-2026-004952",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.085919792Z"
        }
    ]
}
References
Credits

Affected packages

npm / multica

Package

Name
multica
View open source insights on deps.dev
Purl
pkg:npm/multica

Affected ranges

Affected versions

9999.*
9999.99.99

Database specific

indicators 
{
    "domains": [
        "ddactic-lab.online",
        "multica.none.eb9675bf.b.ddactic-lab.online",
        "multica.none.eb9675bf.b.ddactic-lab.online.ec2.internal"
    ],
    "evidence_files": [
        {
            "sha256": "e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8",
            "tlsh": "e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf",
            "path": "postinstall.js"
        },
        {
            "sha256": "4e023071425857ba2cdf256930249f55d85ad3a26d5dc7e7424ce219d792e126",
            "tlsh": "95e0e5048d2067732ed836d5987a11c6b7720d0ba948bc2967a7001c87de9ab45be12a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-bBiQUUUXe9YheiHyratERQ3+jDvKi3n2on++cfjE4X8HJHaMamAjmNXbvJ5yncgDjWPfkj0l2P3fSQPVosMezA==",
                "sha1": "1c7a0f237162d1e248b839e39e03a324ee840cd2"
            },
            "filename": "multica-9999.99.99.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/multica/MAL-2026-5400.json"