MAL-2026-5486

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/menu-filter-widget-web/MAL-2026-5486.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5486

Published

2026-06-09T20:43:12Z

Modified

2026-06-09T21:01:37.126082628Z

Summary

Malicious code in menu-filter-widget-web (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce)

package.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname() and sends it to a hardcoded oastify.com (Burp Collaborator) URL via HTTPS GET, with a fallback DNS lookup that embeds the hostname as a subdomain label. Both channels carry a unique token plus the installer's hostname, registering the install with a remote attacker-controlled collaborator on every install. The package self-describes as a 'PoC' but is published to the public registry, so any installer leaks host identity automatically without consent.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-09T20:45:58.555265086Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "6dbcaf0b132c21e578d8caafa01a8740d4c1aa8ef82f9cdeaaf46536027a9d92",
            "id": "IN-MAL-2026-005238",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T20:43:13Z"
        },
        {
            "modified_time": "2026-06-09T20:43:12Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce",
            "id": "IN-MAL-2026-005237",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:58.462240903Z"
        }
    ]
}

References

https://www.npmjs.com/package/menu-filter-widget-web/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / menu-filter-widget-web

Package

Name: menu-filter-widget-web; View open source insights on deps.dev
Purl: pkg:npm/menu-filter-widget-web

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com",
        "poc-widget-001.scan-dea4a1d74656.3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com"
    ],
    "evidence_files": [
        {
            "sha256": "a1796ad3ed640844791551a0cfc9aabe691ec7ffe3431212c70e3c061254260b",
            "tlsh": "b601c2fe06c4c73c594035c1e156543ae1abf244718699f0b46f321243e657626734f9",
            "path": "callback.js"
        },
        {
            "sha256": "6b1b2eae54c2490bbbc33f956fc742d1808e122ac61c1334efe968ad6ecedd34",
            "tlsh": "06d0a7a01c0346773cd0ff970832429e5164cb085648451d09b16364845a9f8417126d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-A3OpHxFxG7JPJJ/wB/CaBv/1LoVgnA3xgTc/2kZpWn0LDUnzXoNFMhOAOOu2Bthirt+25sHLlXNC/4Hdn9ULVg==",
                "sha1": "5431e829ec21c1ea16a115f6cddefdfc836428a0"
            },
            "filename": "menu-filter-widget-web-0.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/menu-filter-widget-web/MAL-2026-5486.json"