MAL-2026-5421
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/sdk/MAL-2026-5421.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5421
- Published
- 2026-06-09T17:39:06Z
- Modified
- 2026-06-09T19:01:29.437766044Z
- Summary
- Malicious code in @nstrlabs/sdk (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a0b1375de7b44594cd3760efb91cb94c8c8b7137322f4597114e314ce5e14e45)
On
npm install, package.json runspreinstall: node index.js || true, unconditionally executing index.js. The script collects host identity fields (os.hostname(), os.userInfo().username, __dirname, process.cwd(), and the package id), hex-encodes them as DNS labels, and resolves them as a subdomain of an interactsh OOB callback host (*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live), then also POSTs the same JSON payload to a bare IP HTTP endpoint athttp://172.201.213.59:9090/c. Two independent exfiltration channels (DNS + HTTP) fire on every install, with|| trueswallowing errors so the exfil is silent. The package is a typosquat / dependency-confusion lure: version99.0.1is an unusually high pseudo-version, scope@nstrlabsand metadata (description: security research, authorjeroengui) are placeholder-shaped, and the package has no other functionality — its sole effect on install is the recon beacon. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005090", "import_time": "2026-06-09T17:45:54.036915308Z", "source": "amazon-inspector", "versions": [ "99.0.1" ], "sha256": "431fba2bc1e6b06410274f7e3ab7e44dc0355ac6e934f788f3302ba2babe4f9e", "modified_time": "2026-06-09T17:39:07Z" }, { "id": "IN-MAL-2026-005089", "import_time": "2026-06-09T17:45:53.99829334Z", "versions": [ "99.0.1" ], "source": "amazon-inspector", "sha256": "a0b1375de7b44594cd3760efb91cb94c8c8b7137322f4597114e314ce5e14e45", "modified_time": "2026-06-09T17:39:06Z" }, { "id": "IN-MAL-2026-005133", "import_time": "2026-06-09T18:50:18.380304302Z", "versions": [ "99.0.0" ], "source": "amazon-inspector", "modified_time": "2026-06-09T17:50:40Z", "sha256": "0a20b9279fceb4a7db4f1c1ba696a0de954391b7305a38d196a19f2085f3d32d" }, { "id": "IN-MAL-2026-005132", "import_time": "2026-06-09T18:50:18.299133917Z", "versions": [ "99.0.0" ], "source": "amazon-inspector", "sha256": "b78132c899a6715cb1f453d93ac421b2f796eff921e6113865c6e62d47269d15", "modified_time": "2026-06-09T17:50:40Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @nstrlabs/sdk
Package
- Name
- @nstrlabs/sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nstrlabs%2Fsdk
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/sdk/MAL-2026-5421.json"
indicators
{
"package_integrity": [
{
"filename": "sdk-99.0.1.tgz",
"hashes": {
"sha1": "afdbbb4c1c53c6f7ab17194c7b953c130d1e0bf4",
"sha512_sri": "sha512-H30b64BXceguetc8ek+fGnuMssnsAi4LtXp+OrhJ3frfZ8UUx8/4PNsB4o2vlEz+3TU/8pY0wPuF3GynMPd/cw=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "92d29e21c08eb6664e07ecc752e2045f91342eee1cfdbda1f00fa37750046966",
"tlsh": "ccf0e1e161a0d1f99b709590bdd4668457f3d656b04288f0dc4d0fcf46c28d05d76ae1"
},
{
"path": "package.json",
"sha256": "32d38c2046fb241c75eac099d43a8fd7112879d27efcb44018bf3390aee41c1c",
"tlsh": "2ac012681920b436265182f16976ac4d61e98218108448448ee205b494b179c806d155"
}
],
"domains": [
"7b2268223a227363616e2d623438343064653961343662222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f73646b222c2263223a222f686f6d65.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}