MAL-2026-5469

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-transactional-web/MAL-2026-5469.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5469
Published
2026-06-09T20:29:19Z
Modified
2026-06-09T21:01:34.784912038Z
Summary
Malicious code in getd-transactional-web (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fe5e89f2411faf9265508a84772d5667bb3095cf28937bb9e9ab80a215ff4208)

On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying os.hostname(), os.userInfo().username, os.platform(), process.cwd(), CI environment indicators (CI, BUILDBUILDID, AGENTNAME), and the package name/version. Errors are swallowed silently. The destination is an anonymous third-party request-bin, not a publisher-owned endpoint, so any party holding the webhook URL receives identifying information about every machine that installs this package. The package's README frames itself as a 'defensive squat' of the @getd scoped namespace, but the data flow — installer identifiers leaving the host to an unaffiliated request-bin without consent — is identical to a malicious typosquat beacon. The combination of a name that lures users targeting @getd/* and an unauthenticated metadata beacon at install time is installer-harming regardless of stated intent.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T20:45:54.031899396Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "2a68055e3e75d6aa2b4661899cf358e96f8f902af1e0ac8ffadad30609dc42c0",
            "id": "IN-MAL-2026-005208",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:29:19Z"
        },
        {
            "modified_time": "2026-06-09T20:29:19Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "fe5e89f2411faf9265508a84772d5667bb3095cf28937bb9e9ab80a215ff4208",
            "id": "IN-MAL-2026-005207",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:53.938350293Z"
        }
    ]
}
References
Credits

Affected packages

npm / getd-transactional-web

Package

Name
getd-transactional-web
View open source insights on deps.dev
Purl
pkg:npm/getd-transactional-web

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators 
{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "3f43eec8fa98175e1871933dc3c52a1278c4553956559e6a440a8b26fff4d79a",
            "tlsh": "9f01f42a7625163329c0675c1d33a80a3d228d575106791e27e7064583dfc6f85ff21e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-i23TAsRw3Slkv1XZd5VPGr67LaBW6B3ZyPHtIGYq+KH6NQ61CcI4c6Y3PrLDtuye5/dkZKUGAU9HwuCa95PcnQ==",
                "sha1": "6e97d39be7b7d5719455ecc7ae3209e5a504e20d"
            },
            "filename": "getd-transactional-web-0.0.1.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-transactional-web/MAL-2026-5469.json"