MAL-2026-5445

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/grateful-payments/MAL-2026-5445.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5445

Published

2026-06-09T17:44:25Z

Modified

2026-06-09T18:01:36.298969041Z

Summary

Malicious code in grateful-payments (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471)

On npm install, the package's postinstall script (src/canary.js) performs a DNS lookup and HTTPS GET to the hardcoded host 96e03fa6c292469a-172-245-86-254.serveousercontent.com at path /c. serveousercontent.com is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to a verifiable publisher. Every installer's machine emits an unconsented outbound network call at install time, revealing source IP, DNS resolver path, and install timing to the tunnel operator — a classic install-fleet beaconing pattern used to confirm compromise reach. The package's own metadata describes itself as a HackerOne research canary with an empty main module, but the install-time network behavior is identical to a real install-time beacon and runs on anyone who installs this version.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T17:45:55.14610098Z",
            "versions": [
                "99.0.0-canary.1"
            ],
            "sha256": "1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471",
            "id": "IN-MAL-2026-005111",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:44:25Z"
        },
        {
            "modified_time": "2026-06-09T17:44:25Z",
            "versions": [
                "99.0.0-canary.1"
            ],
            "sha256": "bbd4cc6cf034de9a6a7d4edd97f5fcea8b806ad98dacb14372e5a632477861ad",
            "id": "IN-MAL-2026-005112",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:55.210202067Z"
        }
    ]
}

References

https://www.npmjs.com/package/grateful-payments/v/99.0.0-canary.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / grateful-payments

Package

Name: grateful-payments; View open source insights on deps.dev
Purl: pkg:npm/grateful-payments

Affected ranges

Affected versions

99.*

99.0.0-canary.1

Database specific

indicators

{
    "domains": [
        "96e03fa6c292469a-172-245-86-254.serveousercontent.com"
    ],
    "evidence_files": [
        {
            "sha256": "ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45",
            "tlsh": "4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238",
            "path": "src/canary.js"
        },
        {
            "sha256": "a1f33f0eb9897a7fab0e5b2cc2842e0c27f448ec1eae4cb20a2a255d689bc72d",
            "tlsh": "53d09704e82042233cc88ee30da0c08b81286c031260ad2893639040310ca774ff7100",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "grateful-payments-99.0.0-canary.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-5PJTf1wBLN0XCBNbqy/1BGkdxDh5A6UfUm4lGzkvgQrIV7VaHF34iK+uiTH3o7XJNLf07Tb/Sk6JX5bXdqrHkg==",
                "sha1": "c76573be2ecde7f4dd39bfce542e49babc80ee9c"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/grateful-payments/MAL-2026-5445.json"