MAL-2026-5459

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dktunited/anly-tracker-v2/MAL-2026-5459.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5459

Published

2026-06-09T17:45:50Z

Modified

2026-06-09T19:01:30.761942997Z

Summary

Malicious code in @dktunited/anly-tracker-v2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6)

scripts/postinstall.js runs unconditionally during npm install and exfiltrates installer-side identifiers to an attacker-controlled out-of-band collector. The script fetches the installer's public IP from api.ipify.org, then collects os.userInfo().username, os.hostname(), process.cwd(), the package name, and the resolved IP, and transmits them to the hardcoded host xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun (an Interactsh OOB collector) via two channels: a dns.lookup of a hex-encoded subdomain and an https.request to /poc carrying the JSON payload base64-encoded in an x-poc header. The package is published at version 99.99.99 — the canonical dependency-confusion squat marker designed to outrank any internal @dktunited/anly-tracker-v2 package by semver. Whether labeled a bug-bounty PoC by the author or not, it is live on the public registry and will harm any build system that resolves it.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:45:50Z",
            "versions": [
                "99.99.99"
            ],
            "sha256": "8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6",
            "id": "IN-MAL-2026-005121",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:17.004838866Z"
        },
        {
            "modified_time": "2026-06-09T17:45:50Z",
            "versions": [
                "99.99.99"
            ],
            "sha256": "f5592101eecb18abeaffb9d7f290c0dd32a9278e683f99432788680986e011bd",
            "id": "IN-MAL-2026-005122",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T18:50:17.18575481Z"
        }
    ]
}

References

https://www.npmjs.com/package/@dktunited/anly-tracker-v2/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @dktunited/anly-tracker-v2

Package

Name: @dktunited/anly-tracker-v2; View open source insights on deps.dev
Purl: pkg:npm/%40dktunited%2Fanly-tracker-v2

Affected ranges

Affected versions

99.*

99.99.99

Database specific

indicators

{
    "domains": [
        "7b22706b67223a2240646b74756e697465642f616e6c792d747261636b65.xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun",
        "xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun",
        "api.ipify.org"
    ],
    "evidence_files": [
        {
            "sha256": "aa9ca6d9e8623690bab98aef79f4b919052c7277f6037f08c87e27ad540dfe49",
            "tlsh": "cc1102a872f09324057260c4ccabde1a5117e2137a46d961fbcc41949f446b8ecb2ef9",
            "path": "scripts/postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "anly-tracker-v2-99.99.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-P5At0IIAvN7GdxikNEZztHPxiJlmHkAnvdbE1IjgyRbrqXRSm44HvH0TbFUdQONwZtr4XFWOwWnaSgdgFdk8xg==",
                "sha1": "87c5fb06f0a358d560bebb6a6f2a5438ddae918f"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dktunited/anly-tracker-v2/MAL-2026-5459.json"