MAL-2026-5473

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gethandler-api/MAL-2026-5473.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5473

Published

2026-06-09T20:29:26Z

Modified

2026-06-09T21:01:35.274275917Z

Summary

Malicious code in gethandler-api (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc)

On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer's hostname (os.hostname()), username (os.userInfo().username), platform (os.platform()), current working directory, package name/version, CI environment indicators, and a timestamp. Errors are silently swallowed so the install never visibly fails. The package.json self-describes as a 'defensive typo-squat' placeholder for the @getd/* namespace, but regardless of stated intent the behavior is non-consensual install-time transmission of installer identifiers to a third-party request-capture service. Anyone with the webhook URL — including the operator and anyone they share captures with — receives a log of every machine that fat-fingers an install of this name. The typosquat framing combined with the beacon means installers who mistype the target name are silently fingerprinted.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:29:26Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc",
            "id": "IN-MAL-2026-005209",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:54.193304798Z"
        },
        {
            "modified_time": "2026-06-09T20:29:27Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "ea0b26e761c1eb184707d6e8b06e844515bef1de5b38df98f95ba8af16c5a25f",
            "id": "IN-MAL-2026-005210",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:54.469682331Z"
        }
    ]
}

References

https://www.npmjs.com/package/gethandler-api/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / gethandler-api

Package

Name: gethandler-api; View open source insights on deps.dev
Purl: pkg:npm/gethandler-api

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "88c1f4aa6142485da6050c269e2f2534b208ae9de9a83bfc636c62f5e545f89e",
            "tlsh": "9c01f42a7625063329c0565c1c32980a3d128e575106791e27e7060143cfc6f85ff31a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-X3yqcZ7pd+P/u9TbY1R4aD+Ely251B5hUO2RlVOYVEVgDtHVkWCMndW66fM1Jom8RgwLFU45zZyZXnCqj9UDsg==",
                "sha1": "ff8d2a2ca0c99c9e89e437aec486ee328f684a5e"
            },
            "filename": "gethandler-api-0.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gethandler-api/MAL-2026-5473.json"