MAL-2026-5467

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-handler-api/MAL-2026-5467.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5467

Published

2026-06-09T20:29:13Z

Modified

2026-06-09T21:01:34.415878489Z

Summary

Malicious code in getd-handler-api (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5)

On npm install, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables, then sends them via HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 (postinstall.js line 18). Errors are silenced so the beacon runs invisibly during install. Although package.json describes itself as a 'defensive' typosquat placeholder for the @getd/* scope, installer-side identifiers leave the machine unconditionally without consent on every install, which is unauthorized data collection regardless of stated intent. The combination of a typosquat-shaped name and an automatic install-time phone-home is the standard namespace-abuse exfil pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005206",
            "versions": [
                "0.0.1"
            ],
            "sha256": "63178df74f217762fac782de932a2278af8a58d904245550ba57e1ac020a2367",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:29:14Z",
            "import_time": "2026-06-09T20:45:53.810145104Z"
        },
        {
            "id": "IN-MAL-2026-005205",
            "import_time": "2026-06-09T20:45:53.672396204Z",
            "sha256": "83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:29:13Z",
            "versions": [
                "0.0.1"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/getd-handler-api/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / getd-handler-api

Package

Name: getd-handler-api; View open source insights on deps.dev
Purl: pkg:npm/getd-handler-api

Affected ranges

Affected versions

0.*

0.0.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e"
        },
        {
            "path": "package.json",
            "sha256": "35bae2415a4fc2fdd87eb89fa7ae4f9c8fcf676623f5449e02596994c6765f17",
            "tlsh": "0401f42a7625063329c05a9c1c32980a3d128e575106b91e27e7060143cfc6fc5ff31a"
        }
    ],
    "package_integrity": [
        {
            "filename": "getd-handler-api-0.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1IrRA0D9+dE4W9gATqE89sXUHzJ5WonUsD855pZrcK8JZdb4W2epZwrHGabdkyDOWpkN9PGhYEUF8flgXzMnCw==",
                "sha1": "c2a4842ea9bc6de7fe883a57e2c3ebd8775f0c64"
            }
        }
    ],
    "domains": [
        "webhook.site"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-handler-api/MAL-2026-5467.json"