MAL-2026-5407
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@card-pci-data/store/MAL-2026-5407.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5407
- Published
- 2026-06-09T17:35:53Z
- Modified
- 2026-06-09T19:01:30.778108907Z
- Summary
- Malicious code in @card-pci-data/store (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871)
On
npm install, the package's preinstall hook (scripts.preinstall: node index.js || true) runs index.js which collects host identity —os.hostname(),os.userInfo().username,__dirname, andprocess.cwd()— and exfiltrates it through two channels: (1) an HTTP POST to the hardcoded bare IP172.201.213.59:9090/c, and (2) a DNS resolution of a hex-encoded label appended to*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(an interactsh-style out-of-band beacon). The package has no advertised functionality beyond this beacon; its description issecurity researchand the scoped name@card-pci-data/storeimpersonates payment-card / PCI-related tooling, consistent with a dependency-confusion or namespace-abuse lure. This auto-executes on default install and produces clear attacker benefit (installer host fingerprint delivered to attacker-controlled infrastructure). - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T17:35:54Z", "versions": [ "99.0.1" ], "sha256": "33b09478f47cfd67351be7f721c43e09b762c10c8a906841cfbd23831402545e", "id": "IN-MAL-2026-005079", "source": "amazon-inspector", "import_time": "2026-06-09T17:45:53.245710638Z" }, { "modified_time": "2026-06-09T17:35:53Z", "versions": [ "99.0.1" ], "sha256": "9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871", "id": "IN-MAL-2026-005078", "source": "amazon-inspector", "import_time": "2026-06-09T17:45:53.147066206Z" }, { "modified_time": "2026-06-09T17:55:24Z", "versions": [ "99.0.0" ], "sha256": "779786fd07ed03346ff0fac4649d39b7d75f0e02269dda4247843e6b5fa409b3", "id": "IN-MAL-2026-005147", "source": "amazon-inspector", "import_time": "2026-06-09T18:50:19.635342359Z" }, { "modified_time": "2026-06-09T17:55:24Z", "versions": [ "99.0.0" ], "sha256": "4665eb8e66828c47db4912fce66beb3d7a30609a37a48a81d6010d796ba4fbf6", "id": "IN-MAL-2026-005146", "source": "amazon-inspector", "import_time": "2026-06-09T18:50:19.473340045Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @card-pci-data/store
Package
- Name
- @card-pci-data/store
- View open source insights on deps.dev
- Purl
- pkg:npm/%40card-pci-data%2Fstore
Database specific
indicators
{
"domains": [
"7b2268223a227363616e2d313566656561353430633565222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f40636172642d7063692d646174612f73746f7265222c226322.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
],
"evidence_files": [
{
"sha256": "5e6a71454d901349dd305b024607124b6e60d0de67c15f724432ab876f883169",
"tlsh": "fdf041e222b0d0fd9b708a90bcc46a8053b3d642b00288f0dc4c0fcf06c28d05d769f1",
"path": "index.js"
},
{
"sha256": "174ce00326dc0301df92e6230104dbfc4d07580f7d83a0e6904a523ee26d4580",
"tlsh": "f6c012782930b8361aa587f169766c4c71f98654508449084ae6517495b6bd891ad015",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-8F1mWva0CQzXAqQWuzO39czBXg1eyQJAN8xQSg8pHVaJVqlCpDE9wD1pBxA8SqEoEefVp3H5T7ol+jAZuZ0Liw==",
"sha1": "1b8ac6d1426ccf779b7405be08b567c6a7d78d88"
},
"filename": "store-99.0.1.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@card-pci-data/store/MAL-2026-5407.json"