MAL-2026-5412
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-kyc/routes/MAL-2026-5412.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5412
- Published
- 2026-06-09T17:37:43Z
- Modified
- 2026-06-09T19:01:29.112658196Z
- Summary
- Malicious code in @klapp-kyc/routes (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887)
On
npm install, the package's preinstall hook executesnode index.js, which collects the installer's hostname, OS username, current working directory, __dirname, and package name, then exfiltrates them through two channels unconditionally: (1) a hex-encoded DNS A-record query to a subdomain ofd8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(an interactsh-style out-of-band collector), and (2) an HTTP POST of a JSON payload tohttp://172.201.213.59:9090/c. The package has no other functionality —package.jsondeclaresdescription: "security research", version99.0.0(dependency-confusion-style high version), and a KYC-themed scope (@klapp-kyc/routes) suggesting targeted reconnaissance against a specific organization's internal namespace. Regardless of the self-description, installers' internal host identifiers are leaked to attacker-controlled infrastructure. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005083", "versions": [ "99.0.1" ], "sha256": "117301b4ebab6f5a18c2b3dafaa501e36c8b666a2c926950805f169ae3a982a4", "source": "amazon-inspector", "modified_time": "2026-06-09T17:37:43Z", "import_time": "2026-06-09T17:45:53.491320246Z" }, { "id": "IN-MAL-2026-005082", "versions": [ "99.0.1" ], "sha256": "ad94c92fd5b9921bc74eebca1ec5a25c4547ca62c54d9026850535d2f4c39849", "source": "amazon-inspector", "modified_time": "2026-06-09T17:37:43Z", "import_time": "2026-06-09T17:45:53.44529867Z" }, { "id": "IN-MAL-2026-005151", "import_time": "2026-06-09T18:50:20.16197964Z", "sha256": "47cc2d1136216fc706d2aab88cd6cf12099d78ebc723c090b93f1b93d62d101b", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:34Z", "versions": [ "99.0.0" ] }, { "id": "IN-MAL-2026-005150", "import_time": "2026-06-09T18:50:20.063003389Z", "sha256": "ca32e3aa7685d93e36eca726e08096bd0c5ba425172ef254fdf769cc09b46887", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:33Z", "versions": [ "99.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @klapp-kyc/routes
Package
- Name
- @klapp-kyc/routes
- View open source insights on deps.dev
- Purl
- pkg:npm/%40klapp-kyc%2Froutes
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "5da01fbeba09a26f53a70b0559ffbcaa1bac4ab85d080385e8f0fe6aa280bff0",
"tlsh": "64f0e1e161b0d0f99b709590bdd46a8457b3d656b04288f0dc4d0fcf46c64d09d7a9e1"
},
{
"path": "package.json",
"sha256": "284748f597576d6c2a62336da6efe09ac5257250402905f82146964cec7c9a6a",
"tlsh": "e2c0807c2d31b436176183f46d756c4c71f9c61410d48d448fe6457454b17e8d09e015"
}
],
"package_integrity": [
{
"filename": "routes-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-E043WZg8OqANqCI6DIJ5tKB1293NYEJVScXKu5es3+qCjVhvdr6OnlYBkydQUH6bSqcy1S3DNvVI5b0zFMjMDQ==",
"sha1": "fc55879959b4455f1c44505c38613d0e371ef175"
}
}
],
"domains": [
"7b2268223a227363616e2d623632336361666133306666222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d6b79632f726f75746573222c2263223a222f.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-kyc/routes/MAL-2026-5412.json"