MAL-2026-5465

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-content-management/MAL-2026-5465.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5465

Published

2026-06-09T20:28:53Z

Modified

2026-06-09T21:01:34.153626459Z

Summary

Malicious code in getd-content-management (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b)

The unscoped package name 'getd-content-management' impersonates the legitimate @getd/* npm scope (acknowledged in the package's own README). On npm install, the postinstall.js lifecycle script collects host identifiers via os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and CI-related environment variables (CI, BUILDBUILDID, AGENTNAME), and transmits them as query-string parameters in an HTTPS GET request to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 — a generic third-party request-capture service unrelated to any publisher infrastructure. Errors are silently swallowed so the installer sees no indication the call occurred. The combination of name-confusion against an existing scope and silent install-time beaconing of internal hostnames, user accounts, build paths, and CI agent identity to an attacker-controlled capture URL is operationally indistinguishable from a malicious typosquat regardless of how the README frames the behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:28:53Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b",
            "id": "IN-MAL-2026-005199",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:52.276871435Z"
        },
        {
            "modified_time": "2026-06-09T20:28:53Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "efaa0ace9a4e74cb70a973143ccb7abd217de77d7fcd7bb588536de79c3d360c",
            "id": "IN-MAL-2026-005200",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:52.59260818Z"
        }
    ]
}

References

https://www.npmjs.com/package/getd-content-management/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / getd-content-management

Package

Name: getd-content-management; View open source insights on deps.dev
Purl: pkg:npm/getd-content-management

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "cef184b2894c435c28fd0db2148e4703520d4e761ce8e68c944664e359efe12e",
            "tlsh": "eb01f42a762506332dc0565c1c33a80a3d128d575106791e27e7060543dfd6fc5ff31e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-/y3MBk3R+9IfzrY8WpyIS5KtygJpeHWQfToiAezZYNRKmmfG48ORWSqoJyBui0RkX4uzjPu47IKdmyF4hX4dGw==",
                "sha1": "973909615c7d01b0ce25dab5c1a1f9a1b62f8251"
            },
            "filename": "getd-content-management-0.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-content-management/MAL-2026-5465.json"