MAL-2026-5474

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getui-library/MAL-2026-5474.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5474

Published

2026-06-09T20:28:59Z

Modified

2026-06-09T21:01:35.352986079Z

Summary

Malicious code in getui-library (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a)

On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 with query parameters containing the installer's hostname (os.hostname()), username (os.userInfo()), platform (os.platform()), current working directory, CI environment indicators, package name/version, and a timestamp. Errors are silently swallowed to avoid breaking the install. The package's own description self-identifies as a typosquat placeholder for the @getd/* scoped namespace, so any developer who mistypes the intended package name is fingerprinted without consent. Regardless of the author's stated 'defensive security research' rationale, the technical behavior is unconsented installer-side identifier exfiltration to a third-party webhook collector triggered automatically by the postinstall lifecycle hook.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:29:00Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "25760a4672dd1edac426c0859125237d5a9a91268531665935249ea5bb4509a4",
            "id": "IN-MAL-2026-005202",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:53.064887883Z"
        },
        {
            "modified_time": "2026-06-09T20:28:59Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a",
            "id": "IN-MAL-2026-005201",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:52.873010617Z"
        }
    ]
}

References

https://www.npmjs.com/package/getui-library/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / getui-library

Package

Name: getui-library; View open source insights on deps.dev
Purl: pkg:npm/getui-library

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "6d06923137755f5191e0c145140719fa06fc4d3cc72c3426e9e574c6bca0d397",
            "tlsh": "2401f42a76250a3339c0565c1c32980a3d528e5751067d1f27e7060143cfc6f85ff31e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-bZ9iYS5XNx/pb/59CejZ11om7OYlJCtolpyCaq3tZhD/SMdz7inuaMt1KSkDaT6Cn7cvFTosHzv5ZTVHmnJz5Q==",
                "sha1": "099aaceb0d49acdf8e1691eab45d486993b5061e"
            },
            "filename": "getui-library-0.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getui-library/MAL-2026-5474.json"