MAL-2026-5418

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/api-client/MAL-2026-5418.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5418

Published

2026-06-09T17:40:00Z

Modified

2026-06-09T19:01:27.923636374Z

Summary

Malicious code in @nstrlabs/api-client (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9)

@nstrlabs/api-client@99.0.0 is a hollow package whose only behavior is an install-time exfiltration beacon. package.json declares "preinstall": "node index.js || true", so every npm install automatically executes index.js, which collects os.hostname(), os.userInfo().username, __dirname, and process.cwd() and ships them through two independent channels: (1) a DNS lookup against a subdomain of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (OAST-style out-of-band callback) encoding the collected fields, and (2) an HTTP POST of the JSON payload to the hardcoded bare IP 172.201.213.59:9090/c. Errors are swallowed with || true to keep the install appearing successful. The package ships no API-client functionality; the version-bomb to 99.0.0 under the @nstrlabs scope, combined with the security research description and beacon-only payload, is the canonical dependency-confusion shape — designed to outrank a private internal @nstrlabs/api-client and silently identify hosts inside the target organization's build environment.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:40:00Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "21dda1fd78fda4debfc14241cb2f5653bb328ccbe744170341d7f5a93331dac2",
            "id": "IN-MAL-2026-005095",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:54.323441979Z"
        },
        {
            "import_time": "2026-06-09T17:45:54.41238204Z",
            "versions": [
                "99.0.1"
            ],
            "sha256": "9e0cc169216efefe96ed4724461baf56c8d7827b7322eaaca6dfdce9a3456165",
            "id": "IN-MAL-2026-005096",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:40:01Z"
        },
        {
            "modified_time": "2026-06-09T17:50:34Z",
            "versions": [
                "99.0.0"
            ],
            "sha256": "7d5538fb97a8a712a30d1168e70ae82650504b2e6015833086b4d95093807e53",
            "id": "IN-MAL-2026-005131",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:18.18423155Z"
        },
        {
            "import_time": "2026-06-09T18:50:18.037807876Z",
            "versions": [
                "99.0.0"
            ],
            "sha256": "de7b47a7f81209dbbaff286599b46f4f030ff992b6d0c25d947cc84739b838d9",
            "id": "IN-MAL-2026-005130",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:50:34Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @nstrlabs/api-client

Package

Name: @nstrlabs/api-client; View open source insights on deps.dev
Purl: pkg:npm/%40nstrlabs%2Fapi-client

Affected ranges

Affected versions

99.*

99.0.0

99.0.1

Database specific

indicators

{
    "domains": [
        "7b2268223a227363616e2d663866316139383239396265222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f6170692d636c69656e74222c226322.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
    ],
    "evidence_files": [
        {
            "sha256": "89091fe1e658e3c3fd6b58a2006947a6f7a42625951e47bb3b1f6d64abcd3052",
            "tlsh": "b0f0e1e161a0e1f9abb096a0fdd866c457f3d656b04288f0dc5d0fcf4ac24d05d769e1",
            "path": "index.js"
        },
        {
            "sha256": "10af3a1f5a05d8851ed8621f469f1684b22edd40672299b714dda25c0c734b87",
            "tlsh": "2dc012681920b836379183f16976ac8d61f9861410844c088ae245b898b179c916d055",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-m5XVBe9wzSrW6CCxT4F0iOYHm99ij1SDjVeZOuP/5UOTqhtBevJkeefwyP+XBVJ+b3ZEnv06Y4/yfsVh0LXxPw==",
                "sha1": "30a6a5a88bca1720162e8ce55e030e5d50f2be89"
            },
            "filename": "api-client-99.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/api-client/MAL-2026-5418.json"