MAL-2026-5435

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_semantic-ui_ts/MAL-2026-5435.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5435

Published

2026-06-09T17:16:45Z

Modified

2026-06-09T18:01:33.864439177Z

Summary

Malicious code in ac_semantic-ui_ts (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d)

package.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters including os.hostname(), the package name and version, a nonce, and a lifecycle phase. The package name ac_semantic-ui_ts paired with the inflated version 99.99.100 is the canonical dependency-confusion shape — designed to win resolution over an internal/private registry entry of the same name. Any installer who resolves this package from public npm silently transmits their host identifier to an unencrypted, hardcoded, non-publisher endpoint with no opt-in. The README self-describes as an 'authorized benign dependency-confusion canary,' but the supply-chain mechanism — install-time exfiltration of installer host metadata to a third-party IP — is identical to a malicious dependency-confusion beacon, and any installer who pulls this unintentionally has their hostname leaked.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:16:45Z",
            "versions": [
                "99.99.100"
            ],
            "sha256": "f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d",
            "id": "IN-MAL-2026-005008",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:48.54918157Z"
        }
    ]
}

References

https://www.npmjs.com/package/ac_semantic-ui_ts/v/99.99.100

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ac_semantic-ui_ts

Package

Name: ac_semantic-ui_ts; View open source insights on deps.dev
Purl: pkg:npm/ac_semantic-ui_ts

Affected ranges

Affected versions

99.*

99.99.100

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "c415c911bad1ba1d3b0b18f814c766fc01f2f4cc825c364734a5ec1ed59c5c7b",
            "tlsh": "de0119db44f2a23563fa08caa0a34e66b113c291322bacb0b88c05910f9ed9842325d5",
            "path": "canary.js"
        },
        {
            "sha256": "2c517d0148760f8cf6d108162dfc460e949bf00d2fef2809132ef52b3ce8c114",
            "tlsh": "62e0e5249a104d3715d805d90c79556651a35c2b0a043d28b3ab509c475e6b726ff26e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ac_semantic-ui_ts-99.99.100.tgz",
            "hashes": {
                "sha512_sri": "sha512-S1ufaamy20qdbxcrOceSh8KqLp5R0Jc48sEzmfRZWO4fdrdimRoBd2pQ/bpp7lW/CLuL9NwsuvM4cirCgkzz/g==",
                "sha1": "0929e1ee3fc2c5dc9d585c7a51b56bb3c178adcc"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_semantic-ui_ts/MAL-2026-5435.json"