MAL-2026-5422
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/shared-components/MAL-2026-5422.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5422
- Published
- 2026-06-09T17:38:39Z
- Modified
- 2026-06-09T19:01:29.425946433Z
- Summary
- Malicious code in @nstrlabs/shared-components (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445)
On
npm install, the package's preinstall script runs index.js, which collects host identifiers (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package name) and ships them to two attacker-controlled destinations: (1) a hex-encoded DNS subdomain query against*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(Interactsh-style out-of-band exfiltration), and (2) an HTTP POST of the same JSON payload to bare IPhttp://172.201.213.59:9090/c. The package is published under@nstrlabs/shared-componentsat version99.0.0with descriptionsecurity research— a high semver against a generic scoped name consistent with a dependency-confusion attack targeting an internalnstrlabsnamespace. There is no legitimate library functionality; the preinstall beacon is the package's only effect. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005086", "versions": [ "99.0.1" ], "sha256": "af9737388d5d3e4542198eb5ae3bb13c2d13eefc97331fb32ed105626218776a", "source": "amazon-inspector", "modified_time": "2026-06-09T17:38:39Z", "import_time": "2026-06-09T17:45:53.742254201Z" }, { "id": "IN-MAL-2026-005087", "import_time": "2026-06-09T17:45:53.884376129Z", "sha256": "ebac43bd1c2448eeb204605bf63cd432020d8bbb4f6d52519ab1a88ac43137d8", "source": "amazon-inspector", "modified_time": "2026-06-09T17:38:39Z", "versions": [ "99.0.1" ] }, { "id": "IN-MAL-2026-005152", "versions": [ "99.0.0" ], "sha256": "efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:40Z", "import_time": "2026-06-09T18:50:20.378210193Z" }, { "id": "IN-MAL-2026-005153", "import_time": "2026-06-09T18:50:20.502421363Z", "sha256": "2726b4c9e7c8d06bdcf4396f2e33ee39e620b79710e5fbe6ca2b9dbe6dc50dcc", "source": "amazon-inspector", "modified_time": "2026-06-09T17:56:40Z", "versions": [ "99.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @nstrlabs/shared-components
Package
- Name
- @nstrlabs/shared-components
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nstrlabs%2Fshared-components
Database specific
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "b75d5f584b998d1021ac03ad2f939fb9aa1b18728dce12f7deeca3fa5e5909be",
"tlsh": "79f00ce121a0d0bdaba09590bd946a8153f3c256b04288f0dc0d0ecf06c24d05c7a9e1"
},
{
"path": "package.json",
"sha256": "bbae3ef6b8bf185e555478fdb63509731c179a7a8f2090e81d5f0f727a6145e1",
"tlsh": "51d012782920b836769582f169766c4e72e9825454c448444ae305b495f279c906e056"
}
],
"package_integrity": [
{
"filename": "shared-components-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-tbaAnEmOtwq+B94s8PaRoBeyn9+Ppfq3glSS/5hNp6neWNyNgdApl1ZsHucGxxtWZfzNer0v9wVoAF72H6s+8A==",
"sha1": "d4d2395b155be0c475087ebe378db675bfab86fd"
}
}
],
"domains": [
"7b2268223a227363616e2d613363633035653930393163222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f7368617265642d636f6d706f6e656e.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/shared-components/MAL-2026-5422.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]