MAL-2026-5462

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@rockawayx/utils/MAL-2026-5462.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5462

Published

2026-06-09T20:25:07Z

Modified

2026-06-09T21:01:33.727843648Z

Summary

Malicious code in @rockawayx/utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab)

@rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares "preinstall": "node notify.js || true"; notify.js collects os.hostname(), os.userInfo().username, os.platform(), and a timestamp and POSTs them as JSON to https://2.25.140.71:8443/rockawayx/depconf-poc with rejectUnauthorized: false (TLS verification disabled). The destination is a hardcoded bare IPv4, not a publisher-owned domain. Any build that resolves @rockawayx/* against the public registry — the canonical dependency-confusion victim — will pull this package and silently transmit host identifiers to the bare IP. The README frames the package as authorized security research, but the code performs the same install-time exfiltration any dependency-confusion attacker would, and consumers in any pipeline (not only the targeted organization) trigger the beacon without consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005196",
            "versions": [
                "0.0.1"
            ],
            "sha256": "e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:25:07Z",
            "import_time": "2026-06-09T20:45:51.731061185Z"
        }
    ]
}

References

https://www.npmjs.com/package/@rockawayx/utils/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @rockawayx/utils

Package

Name: @rockawayx/utils; View open source insights on deps.dev
Purl: pkg:npm/%40rockawayx%2Futils

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "notify.js",
            "sha256": "0e1c40712f4e988386d5dd3fb02c4ff60ceda140c2bf4d7efefac7a6aaaa126a",
            "tlsh": "1701f4f45368ed706ff581e5e1f1a416d272f164b92b79f9e4d402aca35c1c404349f0"
        },
        {
            "path": "package.json",
            "sha256": "39e108d5b42518575ebc462916eda4cbcf80ee04c83d39c35a894585b35f07a5",
            "tlsh": "4ed097700824a43304c48be219b2820bb0a1cc1b10acbd0c1383010880ee7f389ff10d"
        }
    ],
    "package_integrity": [
        {
            "filename": "utils-0.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Iob3BAbaJ/r08bPY2g3fvJS+WgzB0yisgfrhCeNW58O9ZxxxU8adaFlTkKSndxgOE6UJ2ljgSwWJ1DKXn3FgEA==",
                "sha1": "838f7f1617519705a4229bc7842eb7ddd6ef5d92"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@rockawayx/utils/MAL-2026-5462.json"