MAL-2026-5420
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/ixel/MAL-2026-5420.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5420
- Published
- 2026-06-09T17:39:20Z
- Modified
- 2026-06-09T19:01:29.406275038Z
- Summary
- Malicious code in @nstrlabs/ixel (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (64b10f7a8ca25ac33a6d1e94038d1dbfd68d113d9ab7d7a428d97417b3409c7d)
On
npm install, the package runsnode index.jsvia apreinstalllifecycle hook (declared as"preinstall": "node index.js || true"so failures are silenced). index.js collectsos.hostname(),os.userInfo().username,__dirname, andprocess.cwd()and exfiltrates them two ways: (1) a hex-encoded subdomain DNS query against*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(interactsh-style out-of-band beacon), and (2) an HTTP POST of a JSON blob to the hardcoded bare IPhttp://172.201.213.59:9090/c. Errors are swallowed via|| true, try/catch, and a no-op HTTP error handler so the install appears to succeed. The package is published under the@nstrlabsscope at version 99.0.0 with description 'security research' — the canonical dependency-confusion recon shape, where a high version is published to a public registry to override an internal-scope package and beacon any host that resolves it. The package has no legitimate functionality; its only effect on install is the host-metadata beacon. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005094", "import_time": "2026-06-09T17:45:54.292332312Z", "sha256": "0d9233446ae1b81338630ea6d9ef3ca2e08db8b46a737baf87970cedc00212bb", "source": "amazon-inspector", "modified_time": "2026-06-09T17:39:21Z", "versions": [ "99.0.1" ] }, { "id": "IN-MAL-2026-005093", "import_time": "2026-06-09T17:45:54.238712716Z", "sha256": "30f1436c6da35578a503200c102818817b2bb6ca8cfc863d1191b2e0a0aa08a7", "source": "amazon-inspector", "modified_time": "2026-06-09T17:39:20Z", "versions": [ "99.0.1" ] }, { "id": "IN-MAL-2026-005149", "import_time": "2026-06-09T18:50:19.999980672Z", "sha256": "0e63be698b01a3e68a3eaffe480367135ca4cbc6a14738cd2a6ab91dff475a7a", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:28Z", "versions": [ "99.0.0" ] }, { "id": "IN-MAL-2026-005148", "versions": [ "99.0.0" ], "sha256": "64b10f7a8ca25ac33a6d1e94038d1dbfd68d113d9ab7d7a428d97417b3409c7d", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:28Z", "import_time": "2026-06-09T18:50:19.855525139Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @nstrlabs/ixel
Package
- Name
- @nstrlabs/ixel
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nstrlabs%2Fixel
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "ed994881e57a51d95f5f02c5dcc1d96e89c0cdc799074f573c31b2ec662281e2",
"tlsh": "e7f0e1e161a0e1f99b709590bdd4668457f3d656b04288f0ec4d0fcf56c24d05d76de1"
},
{
"path": "package.json",
"sha256": "342e7f5d43e5aa3ad862e0667cc50d934a0d1b23087ad693e3cc1555a3d172a9",
"tlsh": "aac080781d31b437375292f16d756c4d71f9821410c44c044ef305b494b17dc80be056"
}
],
"package_integrity": [
{
"filename": "ixel-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-Bc8UlYR+HRuY5t+CjuPOvxqdedtojG86FqV9wXZBTahkSPESGotP3aJe1YqFwajyHKFNzPDF7ZMf+XG0LaEyfA==",
"sha1": "db43623352dc3a6f43b7fb9889ad9980efda6530"
}
}
],
"domains": [
"7b2268223a227363616e2d346135333365663563363766222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f6978656c222c2263223a222f686f6d.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/ixel/MAL-2026-5420.json"