MAL-2026-5402

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/screenpipe-mcp-http/MAL-2026-5402.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5402
Published
2026-06-09T16:05:14Z
Modified
2026-06-09T17:16:27.960536596Z
Summary
Malicious code in screenpipe-mcp-http (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790)

screenpipe-mcp-http@9999.99.99 is a dependency-confusion lure that beacons installer-identifying data to an attacker-controlled domain on npm install. The package.json declares an absurdly high version (9999.99.99) with description 'npm 404 error referenced in screenpipe/screenpipe', the canonical shape of a dependency-confusion claim against an unregistered name referenced by an upstream project. A postinstall hook (postinstall.js) POSTs a JSON body to https://ddactic-lab.online/sc/beacon containing the npm package name/version, Node version, OS, CI detection flag, and GitHub Actions metadata (GITHUBREPOSITORY, GITHUBREPOSITORYOWNER, GITHUBWORKFLOW). To bypass corporate HTTP egress filters, the same data is also encoded into a subdomain of b.ddactic-lab.online and exfiltrated via DNS lookup. index.js further recursively requires its own name (module.exports = require('screenpipe-mcp-http')), so any internal upstream reference that resolves through npm pulls this attacker-controlled package.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T16:05:14Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "28109405008c1eaee3b3702337a3278723bb7e70e01929a4b76132b19c705790",
            "id": "IN-MAL-2026-004953",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.135314554Z"
        },
        {
            "modified_time": "2026-06-09T16:05:14Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "46c309150113bf04c90487208489e8a26337731319956c1183e7d8e26806a0e0",
            "id": "IN-MAL-2026-004954",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:44.206389494Z"
        }
    ]
}
References
Credits

Affected packages

npm / screenpipe-mcp-http

Package

Name
screenpipe-mcp-http
View open source insights on deps.dev
Purl
pkg:npm/screenpipe-mcp-http

Affected ranges

Affected versions

9999.*
9999.99.99

Database specific

indicators 
{
    "domains": [
        "ddactic-lab.online",
        "screenpipe-mcp-http.none.1a63a58b.b.ddactic-lab.online",
        "screenpipe-mcp-http.none.1a63a58b.b.ddactic-lab.online.ec2.internal"
    ],
    "evidence_files": [
        {
            "sha256": "e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8",
            "tlsh": "e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf",
            "path": "postinstall.js"
        },
        {
            "sha256": "9874231134b39da18e297499e46a85ad612616a4d395396e4e7a3ee74b0252c6",
            "tlsh": "3ff0aed98d6547b31ed42987cc5a114eb7324c278444780a13d70838974fa6744fd219",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "screenpipe-mcp-http-9999.99.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-JddeLgur3GflpVA9wAG16HSSThBAftsycUc/JTa30JOLU/rlU/Tvr+pXAD9mcyF6JZRrPb6W6gbr7in9oq6Nxw==",
                "sha1": "c4497cb21f7fb79619b7cc072d8ac2f513dbe20c"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/screenpipe-mcp-http/MAL-2026-5402.json"