MAL-2026-5452

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shopify-app-bridge-internal/MAL-2026-5452.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5452

Published

2026-06-09T17:18:39Z

Modified

2026-06-09T18:01:37.630881493Z

Summary

Malicious code in shopify-app-bridge-internal (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9)

The package's preinstall lifecycle script in package.json runs unconditionally on npm install and issues an HTTPS GET to https://jnhwbzedabyratvgvgpgo7wtsmhsiw8d4.oast.fun/?host=shopify-<hostname>, where <hostname> is taken from os.hostname(). The oast.fun domain is a public out-of-band interaction service (interactsh) commonly used as a callback collector, so this beacon discloses the installer's machine hostname to a remote third party at install time. The package name shopify-app-bridge-internal (unscoped) with version 99.9.9 and an internal suffix is the canonical dependency-confusion shape against Shopify's official scoped @shopify/app-bridge, designed to be resolved by internal build systems that look up a private dep name against the public registry. Despite the package's self-description as a bug-bounty PoC, the install-time beacon harms any installer that resolves the name.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:18:39Z",
            "versions": [
                "99.9.9"
            ],
            "sha256": "b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9",
            "id": "IN-MAL-2026-005017",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.236689192Z"
        },
        {
            "modified_time": "2026-06-09T17:18:40Z",
            "versions": [
                "99.9.9"
            ],
            "sha256": "f2a10e4151c578adc9a27ddc220cb2a1a9158ac747bf46476acd0d8670e580a2",
            "id": "IN-MAL-2026-005018",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:49.2984212Z"
        }
    ]
}

References

https://www.npmjs.com/package/shopify-app-bridge-internal/v/99.9.9

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / shopify-app-bridge-internal

Package

Name: shopify-app-bridge-internal; View open source insights on deps.dev
Purl: pkg:npm/shopify-app-bridge-internal

Affected ranges

Affected versions

99.*

99.9.9

Database specific

indicators

{
    "domains": [
        "jnhwbzedabyratvgvgpgo7wtsmhsiw8d4.oast.fun"
    ],
    "evidence_files": [
        {
            "sha256": "03f0ce38b08238a2a8630db417ba847bb5875a65efaee1e416ab6fdd626e1fb6",
            "tlsh": "6ce061f00da5fa733dc105f64c07552ef153de0e0014a915abcb115941d57b6947da4c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CNXR5GW3GVwy/2BD+D7zR4YTo+O9Fqsjd/bUG35pkMd68uMAFbLUZcHXQdVdVlfolZ2N5bzCAp93Jf/AaziK/w==",
                "sha1": "f0322f748754ea6f1f3bf5d81856ba6b14dce567"
            },
            "filename": "shopify-app-bridge-internal-99.9.9.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shopify-app-bridge-internal/MAL-2026-5452.json"