MAL-2026-5423

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/utils/MAL-2026-5423.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5423
Published
2026-06-09T17:41:29Z
Modified
2026-06-09T19:01:29.427332026Z
Summary
Malicious code in @nstrlabs/utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355)

On npm install, the package's preinstall script (node index.js || true) executes automatically and collects host identifiers from the installer's machine — os.hostname(), os.userInfo().username, __dirname, and process.cwd() — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP http://172.201.213.59:9090/c. Second, the data is hex-encoded into a subdomain and resolved via DNS against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live, an Interactsh out-of-band beacon. The || true suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.0.1"
            ],
            "id": "IN-MAL-2026-005102",
            "import_time": "2026-06-09T17:45:54.800420201Z",
            "sha256": "3dc7b28e2c70c166b75e806b589dac5e2aae3dffe338f5b9f2707692dd1b8c17",
            "modified_time": "2026-06-09T17:41:29Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.0.1"
            ],
            "id": "IN-MAL-2026-005101",
            "modified_time": "2026-06-09T17:41:29Z",
            "sha256": "84a4bcae5f6897112304920f60d6cbb6cbe880104db4ef1ff69be17fbb69b8ac",
            "import_time": "2026-06-09T17:45:54.771040179Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-005142",
            "import_time": "2026-06-09T18:50:19.119930512Z",
            "sha256": "36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355",
            "modified_time": "2026-06-09T17:55:14Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-005143",
            "import_time": "2026-06-09T18:50:19.200496564Z",
            "modified_time": "2026-06-09T17:55:15Z",
            "sha256": "99c9771eea6e1ac9070aeee2d1c4a2264bfd92586e2af228932ca88f5fee0b0f",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @nstrlabs/utils

Package

Name
@nstrlabs/utils
View open source insights on deps.dev
Purl
pkg:npm/%40nstrlabs%2Futils

Affected ranges

Affected versions

99.*
99.0.0
99.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "70894a72ac8089a8f10aee8d420131e6179f13f6657f7dc30f3993e2fc2c042c",
            "tlsh": "51f0e1e161a0d5f99b709590bdd4668457f3d656b04288f0dc4d0fcf46c24d09d769e1",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "utils-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1TBU/MWPugA8i5/hXTfWvZC8PZ686rS3UzMFrCAjCjqzBZxPTuSI+BvftBQvF3r1QeWg7SIRdPYKqF0wfvUmIQ==",
                "sha1": "090ffb365209bc248de504cabc4197416b621e79"
            }
        }
    ],
    "domains": [
        "7b2268223a227363616e2d376232363339653061346434222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f7574696c73222c2263223a222f686f.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/utils/MAL-2026-5423.json"