MAL-2026-5415

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-login-platform/routes/MAL-2026-5415.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5415
Published
2026-06-09T17:35:02Z
Modified
2026-06-09T19:01:29.401203322Z
Summary
Malicious code in @klapp-login-platform/routes (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7)

On npm install, the package's preinstall lifecycle hook executes index.js, which collects the installer's hostname, username, package install path (__dirname), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint http://172.201.213.59:9090/c. The package ships almost no functional code; its purpose is the beacon. The scope @klapp-login-platform paired with an inflated 99.0.2 version and a generic routes name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.0.2"
            ],
            "sha256": "c9f6b9efd71eddb881438d2ca27620bd74bfb2d294c4c93a31810f9b4a0398be",
            "modified_time": "2026-06-09T17:35:02Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005068",
            "import_time": "2026-06-09T17:45:52.482280328Z"
        },
        {
            "versions": [
                "99.0.2"
            ],
            "sha256": "ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7",
            "modified_time": "2026-06-09T17:35:02Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:52.373735047Z",
            "id": "IN-MAL-2026-005067"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "sha256": "e9913ce094c3b9378054947a30b6006a21c13aaac0cca90b707c13a81c962894",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:50:25Z",
            "import_time": "2026-06-09T18:50:17.933705372Z",
            "id": "IN-MAL-2026-005128"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "sha256": "bb01db4904bb167c8048cc3cb668a0e554a972e0a68c95ff18df9d161affef7f",
            "modified_time": "2026-06-09T17:50:25Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:17.983040368Z",
            "id": "IN-MAL-2026-005129"
        }
    ]
}
References
Credits

Affected packages

npm / @klapp-login-platform/routes

Package

Name
@klapp-login-platform/routes
View open source insights on deps.dev
Purl
pkg:npm/%40klapp-login-platform%2Froutes

Affected ranges

Affected versions

99.*
99.0.0
99.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "routes-99.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-f5bb4sAmD2CgVUsX6Ls+8wBJdg22O9YtS5EgxcyfXeAEfKmAHZ6K7xv4g6OzBR0vzXWCX6pIOqXTL8b4wAKivQ==",
                "sha1": "d961c8641c2be0e25e2d18dc6033b64ce3abca31"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "750349cd1da7c9d227661c16f90045833969a85566dd871d67ee883d5dc29557",
            "path": "index.js",
            "tlsh": "74f00ce162b0d0f98b708580ecc4668056b7c256b002c8e4dc0c0ece0ac24e05c76ae1"
        },
        {
            "sha256": "e9809650aaa6c44320524f04e89824561ea013d96df0a3a6f30c84bac913460e",
            "path": "package.json",
            "tlsh": "65d022381a31b836076142f0a8b5ac4c60f8c2181080cd0c8ee680b085b17e8809e001"
        }
    ],
    "domains": [
        "7b2268223a227363616e2d633064633039326164646639222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d6c6f67696e2d706c6174666f726d2f726f75.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-login-platform/routes/MAL-2026-5415.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]