MAL-2026-5427
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@payment-review/store/MAL-2026-5427.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5427
- Published
- 2026-06-09T17:36:12Z
- Modified
- 2026-06-09T19:01:27.914333152Z
- Summary
- Malicious code in @payment-review/store (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e)
package.json declares
preinstall: node index.js || true, so installing the package automatically runs index.js onnpm install. The script collects host identity fields —os.hostname(),os.userInfo().username,__dirname,process.cwd(), and the package id — serializes them as JSON, and exfiltrates them via two channels: (1) an HTTP POST to the hardcoded bare IPhttp://172.201.213.59:9090/c, and (2) a hex-encoded DNS resolution against a subdomain ofd8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live(Interactsh out-of-band exfiltration). The package metadata (@payment-review/store, version99.0.0, descriptionsecurity research, no real functionality) matches the dependency-confusion shape: a high version number under a target-org-styled scope intended to override an internal private package of the same name. Installing this package leaks the installer's host and user identity to attacker-controlled infrastructure with no user consent. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005081", "versions": [ "99.0.1" ], "sha256": "0d4410dd7531b8073ca94b67e1f378c1384acfe969b9b8a12ed934be962b1565", "source": "amazon-inspector", "modified_time": "2026-06-09T17:36:13Z", "import_time": "2026-06-09T17:45:53.365719911Z" }, { "id": "IN-MAL-2026-005080", "versions": [ "99.0.1" ], "sha256": "16277824e707bfa5d164fe338408172b64a7e3c02ee6669b1391b8ad1ae41965", "source": "amazon-inspector", "modified_time": "2026-06-09T17:36:12Z", "import_time": "2026-06-09T17:45:53.304444681Z" }, { "id": "IN-MAL-2026-005137", "versions": [ "99.0.0" ], "sha256": "98ffd07a5d66d1101647686e7de8afd31b09a0af01aa3118a9de460089751408", "source": "amazon-inspector", "modified_time": "2026-06-09T17:52:39Z", "import_time": "2026-06-09T18:50:18.729919262Z" }, { "id": "IN-MAL-2026-005136", "import_time": "2026-06-09T18:50:18.669508796Z", "sha256": "2d624eaefbb0245bf0c9a7b598c461a3ba5ec48005cfec223898062741ef8c2e", "source": "amazon-inspector", "modified_time": "2026-06-09T17:52:39Z", "versions": [ "99.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @payment-review/store
Package
- Name
- @payment-review/store
- View open source insights on deps.dev
- Purl
- pkg:npm/%40payment-review%2Fstore
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "900eae6f9d233e1b556d274405ce0d0b0db6ca9226c20dd086b89fd9e10739f8",
"tlsh": "1cf0e1e161a1d0f99f719590bdd4a68457b3d656b04288f0ec5d0fcf06c28e05d76ae1"
},
{
"path": "package.json",
"sha256": "e860ba47ac1a906170d932fc95a8f03abd6b38e1f79bc4da389317e9fb0cfe3c",
"tlsh": "42c012683d21f8361ea382f06d76ac4d71f9821450c44c049af2417855b1be881ad116"
}
],
"package_integrity": [
{
"filename": "store-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-SKulMQis2tMI/UQpoauTwxKbpizCMUBaqCEmqfmWOAeIqW5p4m8vCiMKSfjL6aFq2zx/2lDFW/OMnyWehF8HTQ==",
"sha1": "6030bf93b030307d2448b229d0f84f1fb08daece"
}
}
],
"domains": [
"7b2268223a227363616e2d616630666131346534626133222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f407061796d656e742d7265766965772f73746f7265222c2263.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@payment-review/store/MAL-2026-5427.json"