MAL-2026-5515
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yelp-react-component-chaos/MAL-2026-5515.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5515
- Published
- 2026-06-10T15:49:03Z
- Modified
- 2026-06-10T19:31:29.253179530Z
- Summary
- Malicious code in yelp-react-component-chaos (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc)
On
npm install, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching /TOKEN|SECRET|PASSWORD|KEY|AUTH|NPM|AWS|GITHUB|YELP|DATABASE/i, then probes for the existence and sizes of ~/.npmrc, ~/.gitconfig, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.aws/credentials, ~/.env, ~/.netrc, and ~/.docker/config.json. The collected payload is POSTed via curl to http://3w0e8s6jg6tkyv03vdesvscvlmrdf43t.oastify.com (a Burp Collaborator OAST domain) over plain HTTP. The payload self-identifies withattack: 'dependency-confusion-yelp'and the package nameyelp-react-component-chaosimpersonates Yelp's internal React tooling namespace, indicating a dependency-confusion squat against Yelp's private registry. Any developer or CI pipeline that resolves this name from public npm has their host fingerprinted and their installer-credential file inventory reported off-host, enabling targeted follow-on theft.Source: ossf-package-analysis (888a90bd95ca140a3cc5946c0f1a7bf5b52f04ac2f7732722de7db72ec409801)
The OpenSSF Package Analysis project identified 'yelp-react-component-chaos' @ 8.14.5 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "8.14.5" ], "sha256": "888a90bd95ca140a3cc5946c0f1a7bf5b52f04ac2f7732722de7db72ec409801", "source": "ossf-package-analysis", "modified_time": "2026-06-10T15:49:03Z", "import_time": "2026-06-10T16:43:59.438965768Z" }, { "id": "IN-MAL-2026-005295", "import_time": "2026-06-10T19:23:48.80211564Z", "sha256": "711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc", "source": "amazon-inspector", "modified_time": "2026-06-10T18:42:07Z", "versions": [ "8.14.5" ] }, { "id": "IN-MAL-2026-005296", "import_time": "2026-06-10T19:23:48.867114303Z", "sha256": "cf88717719d8d7f86a39bfb0ebfcb6fe2960c415e6dcc592c3777007812d1882", "source": "amazon-inspector", "modified_time": "2026-06-10T18:42:08Z", "versions": [ "8.14.5" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / yelp-react-component-chaos
Package
- Name
- yelp-react-component-chaos
- View open source insights on deps.dev
- Purl
- pkg:npm/yelp-react-component-chaos
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "preinstall.js",
"sha256": "cd833edb605d41b532d0624688bcdf6b832c60599cebd4d389cc16ef44d37a18",
"tlsh": "493167d202f0563424b3e6c1aa5b3033365af10b3e09f5d8bd6c16954fc69b455f1af9"
}
],
"package_integrity": [
{
"filename": "yelp-react-component-chaos-8.14.5.tgz",
"hashes": {
"sha512_sri": "sha512-2CPPlyS/506SxniPzvo3C1SWt9I+O+fvpmMyLtPuLwPDidrHM8FDyF04d95RWNQx4tMB6wlVXJ8yiYY9m1522g==",
"sha1": "15a6573e585d7d3aa795e2e22e11f752cadacb5c"
}
}
],
"domains": [
"3w0e8s6jg6tkyv03vdesvscvlmrdf43t.oastify.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yelp-react-component-chaos/MAL-2026-5515.json"