MAL-2026-5411

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-about/routes/MAL-2026-5411.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5411
Published
2026-06-09T17:35:19Z
Modified
2026-06-09T19:01:27.923365022Z
Summary
Malicious code in @klapp-about/routes (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875)

On npm install, the package's preinstall hook (node index.js) collects host and user identity data — os.hostname(), os.userInfo().username, __dirname, process.cwd(), pid, node version, platform, and architecture — and ships them to two attacker-controlled destinations: (a) an HTTP POST to a bare IP http://172.201.213.59:9090/cb/klapp-about-routes carrying the collected fields as JSON, and (b) a hex-encoded DNS lookup to *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (interactsh out-of-band callback). The package name @klapp-about/routes and the unusually high version 99.0.0 are the canonical shape of a dependency-confusion attack — an internal-looking scope published to public npm at a version high enough to override a private resolver. Self-description as a 'security research / dependency-confusion PoC' does not change installer-side impact: any developer or CI system that misroutes installs to the public registry has their machine fingerprint shipped to the hardcoded IP and DNS callback service without consent.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "3a89d8d92c1d5303d17c64a14353dfd86d738d620129a830af3684b6ab2e2167",
            "id": "IN-MAL-2026-005097",
            "import_time": "2026-06-09T17:45:54.508315496Z",
            "modified_time": "2026-06-09T17:40:05Z",
            "versions": [
                "99.0.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "99d2936e8940c6e62254cb8aefb5220dad856de80e50243788f3282e17035c10",
            "id": "IN-MAL-2026-005074",
            "import_time": "2026-06-09T17:45:52.935484151Z",
            "modified_time": "2026-06-09T17:35:19Z",
            "versions": [
                "99.0.2"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "dd5d030db916b2c1fcac6ca8ebaa5415eae8a32ad67a5104b78a17d535111a10",
            "id": "IN-MAL-2026-005073",
            "import_time": "2026-06-09T17:45:52.886613792Z",
            "modified_time": "2026-06-09T17:35:19Z",
            "versions": [
                "99.0.2"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "fbc76fb74ca69f4553d9ffdb5b337805879b2a9d689fef836fb3b23e18a34482",
            "id": "IN-MAL-2026-005098",
            "import_time": "2026-06-09T17:45:54.579342445Z",
            "modified_time": "2026-06-09T17:40:06Z",
            "versions": [
                "99.0.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875",
            "id": "IN-MAL-2026-005138",
            "import_time": "2026-06-09T18:50:18.788106852Z",
            "modified_time": "2026-06-09T17:52:45Z",
            "versions": [
                "99.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-005139",
            "modified_time": "2026-06-09T17:52:46Z",
            "sha256": "d37bd4622a778532f5476c87ebbe915d7d07d5ae30bf817d52ebdad17154c789",
            "import_time": "2026-06-09T18:50:18.853693386Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @klapp-about/routes

Package

Name
@klapp-about/routes
View open source insights on deps.dev
Purl
pkg:npm/%40klapp-about%2Froutes

Affected ranges

Affected versions

99.*
99.0.0
99.0.1
99.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "bff0e1d112b0e0584b7154d0eaaba9451373c6127002c8f0ec8d07ce1fc69e0ccb35e6",
            "sha256": "cab3a2defa8489a4f078f69b759a16eb5354512c53b99509db67bbeb8e30b814",
            "path": "index.js"
        },
        {
            "tlsh": "fcd0a7745c34503314d592b60c75540a7171cd1e10547c4d9b9b141851ebb7354bb24d",
            "sha256": "d3957ed5741f98aea3d6479e0f505f844c6b30a68e65f2046acbb768a8814cc8",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "routes-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-TtRL1zAkKP/fMvdKJxX4Unalt95prA5tvPH3TdkLJ/gyAyknyhXKtZsfTjjAAb+WgrCFs5NV1AG8keNiQ+/qcA==",
                "sha1": "740674f10549deb94a448b586c23b976144e9b59"
            }
        }
    ],
    "domains": [
        "7b2268223a227363616e2d396530326561666136653039222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d61626f75742f726f75746573222c2263223a.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-about/routes/MAL-2026-5411.json"