MAL-2026-5471

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-ui-library/MAL-2026-5471.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5471
Published
2026-06-09T20:29:06Z
Modified
2026-06-09T21:01:35.028253342Z
Summary
Malicious code in getd-ui-library (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fcdbf66757b102ed524f01c498adae819b02968aa455f57316f4e08af1fb9ea0)

On npm install, postinstall.js runs unconditionally (scripts.postinstall = 'node postinstall.js') and sends an HTTPS GET to a hardcoded webhook.site URL carrying the installer's hostname (os.hostname()), username (os.userInfo().username), platform (os.platform()), current working directory (process.cwd()), and CI-detection environment variables (CI, BUILDBUILDID, AGENTNAME) as query parameters. webhook.site is an anonymous request-capture service — whoever holds the UUID receives identifying telemetry from every machine that installs this package, useful for follow-on targeting (CI build agent fingerprinting, developer host enumeration). Errors from the request are swallowed silently. The package additionally occupies the unscoped name getd-ui-library to mimic the legitimate scoped @getd/ui-library package; any developer who mistypes the install name receives this beacon. The package's own README framing this as 'defensive squat' research does not change the installer-side impact: host/user/cwd identifiers leave the machine on every install with no opt-in.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T20:45:53.290548692Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "600dc0698dbd55835d4f128bc75ef8e4722db79a071a4bf4fc5dd6ffbe741448",
            "id": "IN-MAL-2026-005204",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:29:06Z"
        },
        {
            "modified_time": "2026-06-09T20:29:06Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "fcdbf66757b102ed524f01c498adae819b02968aa455f57316f4e08af1fb9ea0",
            "id": "IN-MAL-2026-005203",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:53.18436308Z"
        }
    ]
}
References
Credits

Affected packages

npm / getd-ui-library

Package

Name
getd-ui-library
View open source insights on deps.dev
Purl
pkg:npm/getd-ui-library

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators 
{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "2fa13584ece962a20818c74cb58e2f7889c6478abd58a3d9475622843dce540b",
            "tlsh": "ec01f42a76250a3339d05aac1c32980a3d228e575106bd1f27e7060143cfc6f85ff31e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "getd-ui-library-0.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-vHMlrk8h2R8fmxp2+t/kapT5j35pAnLUnzk7F78yrBwdft12Pzaooo9UemvNij+JHAMJzr/9r2JrAY4v0yNWWg==",
                "sha1": "2795a92af8938abdd9c6912b98741b47f8b92f17"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-ui-library/MAL-2026-5471.json"