MAL-2026-5490

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sb-original/MAL-2026-5490.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5490

Published

2026-06-09T22:57:12Z

Modified

2026-06-09T23:46:26.926343791Z

Summary

Malicious code in sb-original (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83)

sb-original@9999.99.99 is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same name. index.js transparently re-exports the real sb-original module so consumers see normal functionality, while a postinstall script silently fingerprints the installing environment. On npm install, postinstall.js POSTs JSON containing the consuming package name/version, Node version, OS, detected CI provider, and GitHub repository/owner/workflow identifiers to https://ddactic-lab.online/sc/beacon (postinstall.js:32). It also performs a DNS-based fallback that encodes the same fields as a subdomain of b.ddactic-lab.online (postinstall.js:46 dns.lookup(${sl}.${ci}.${h}.b.ddactic-lab.online,...)), which is designed to bypass HTTP egress controls. The combination of an extreme version floor, a transparent proxy main, and unconditional install-time exfiltration of GitHub repo identifiers to an attacker-controlled domain is the canonical dependency-confusion attack shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T22:57:13Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "5419fc906c3b5ca1817006530c8ec07e70675fa10fd9c2be97bda76fb56d7d8d",
            "id": "IN-MAL-2026-005257",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T23:32:25.540277583Z"
        },
        {
            "modified_time": "2026-06-09T22:57:12Z",
            "versions": [
                "9999.99.99"
            ],
            "sha256": "c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83",
            "id": "IN-MAL-2026-005256",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T23:32:25.504454545Z"
        }
    ]
}

References

https://www.npmjs.com/package/sb-original/v/9999.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / sb-original

Package

Name: sb-original; View open source insights on deps.dev
Purl: pkg:npm/sb-original

Affected ranges

Affected versions

9999.*

9999.99.99

Database specific

indicators

{
    "domains": [
        "ddactic-lab.online",
        "sb-original.none.81fac073.b.ddactic-lab.online",
        "sb-original.none.81fac073.b.ddactic-lab.online.ec2.internal"
    ],
    "evidence_files": [
        {
            "sha256": "e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8",
            "tlsh": "e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf",
            "path": "postinstall.js"
        },
        {
            "sha256": "909c530937f12ec928c28dc6fff529c3e46531e7f5ce0bf5547de695d4023d08",
            "tlsh": "5ee02b654e35c7b31dc83b95992a158677321c47c484fc8923d70128839e06711bf21d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-RtCXUaC/nFpydImoTi4qbJpligM1lpYrPCJHpWg1QjeFXkG4hq0s52QR48of+cDscXpBupTGBL7ZHmf77GRtow==",
                "sha1": "6123884ec06181739caa7222e6010cd8efb9a51b"
            },
            "filename": "sb-original-9999.99.99.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sb-original/MAL-2026-5490.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]