MAL-2026-5416
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-otp/routes/MAL-2026-5416.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5416
- Published
- 2026-06-09T17:40:27Z
- Modified
- 2026-06-09T19:01:29.462191985Z
- Summary
- Malicious code in @klapp-otp/routes (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee)
On
npm install, this package auto-executesindex.jsvia thepreinstalllifecycle hook. The script collectsos.hostname(),os.userInfo(),__dirname,process.cwd(), and the package name, then exfiltrates them through two channels: (1) a hex-encoded DNS A-record query to<encoded>.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(an interactsh out-of-band collector), and (2) an HTTP POST of the same JSON payload tohttp://172.201.213.59:9090/c. Both channels fire unconditionally on install, leaking installer identity to attacker-controlled infrastructure. The package metadata reinforces the dependency-confusion / namespace-squat shape: scope@klapp-otpwith version99.0.0and the description stringsecurity research, paired with no legitimate functionality in the tarball. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005100", "versions": [ "99.0.1" ], "sha256": "3701ac552bd704a6c763558749e69755eadea825b90f0b0e51be120ed8bf2c01", "source": "amazon-inspector", "modified_time": "2026-06-09T17:40:27Z", "import_time": "2026-06-09T17:45:54.738848321Z" }, { "id": "IN-MAL-2026-005099", "versions": [ "99.0.1" ], "sha256": "6eebbab7c031083ae325b2262558bb759840f96f356a54ac3df3b5e1fa70ae75", "source": "amazon-inspector", "modified_time": "2026-06-09T17:40:27Z", "import_time": "2026-06-09T17:45:54.632506583Z" }, { "id": "IN-MAL-2026-005157", "import_time": "2026-06-09T18:50:20.943812249Z", "sha256": "8d3143a25bca88550c73189b84085b9a8770cace00d02790eb6c17520350f0bd", "source": "amazon-inspector", "modified_time": "2026-06-09T17:57:07Z", "versions": [ "99.0.0" ] }, { "id": "IN-MAL-2026-005156", "import_time": "2026-06-09T18:50:20.861308077Z", "sha256": "9246974efd1a626094dd3f2027df2e8f1468ce45ebcba42e5207a06c5c9e16ee", "source": "amazon-inspector", "modified_time": "2026-06-09T17:57:07Z", "versions": [ "99.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @klapp-otp/routes
Package
- Name
- @klapp-otp/routes
- View open source insights on deps.dev
- Purl
- pkg:npm/%40klapp-otp%2Froutes
Database specific
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "accf0cac5313b31906c51eac3c753c2c7213f044eca353b8ef03831c05b6672f",
"tlsh": "80f041e171b0d0f98b708580fdc46a8453b3d656b00288f0dc0d0fcf06c24d05c769e1"
},
{
"path": "package.json",
"sha256": "4d26ceee5e41e2b885d99f5a5934d081edc3866e8e4725fcfa61fd389bf551f9",
"tlsh": "43c0807c3d31b476176183f46d756c4c71f9c65810d48e44cff6857454b17e8945e055"
}
],
"package_integrity": [
{
"filename": "routes-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-7S4omY3pCYMB6kaXIQ4TWm4vdf3V90ZEPpuS1khtBZbLDC7RBNxoHtxYeI2zQUQGN6PdYqOSGsVi7k0ghlnpPw==",
"sha1": "04d8f4c40a6f2a925ac695fb5c2105814745676c"
}
}
],
"domains": [
"7b2268223a227363616e2d653837313737303965316235222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d6f74702f726f75746573222c2263223a222f.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-otp/routes/MAL-2026-5416.json"