MAL-2026-5521

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@helpcentre/tesco-help/MAL-2026-5521.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5521
Published
2026-06-10T18:23:43Z
Modified
2026-06-10T19:31:30.477731693Z
Summary
Malicious code in @helpcentre/tesco-help (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042)

On npm install, the postinstall hook runs node index.js, which performs an HTTPS POST to https://f1ackavab3.execute-api.eu-west-2.amazonaws.com/ carrying the installer's hostname (os.hostname()) and current working directory (process.cwd()) as JSON. The package has no other functionality. The scoped name @helpcentre/tesco-help targets a Tesco-branded internal namespace, and the inflated 999.0.0 version is the canonical dependency-confusion technique used to override a private package of the same name when an installer's registry config falls back to public npm. Installers who resolve this package leak host-identifying reconnaissance data to an attacker-controlled API Gateway endpoint, enabling targeted follow-on attacks against the affected build environment.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005281",
            "versions": [
                "999.0.0"
            ],
            "sha256": "eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:23:43Z",
            "import_time": "2026-06-10T19:23:47.748055636Z"
        },
        {
            "id": "IN-MAL-2026-005282",
            "import_time": "2026-06-10T19:23:47.833291748Z",
            "sha256": "f12f0ae044f23cb43cc95601156cd73349e8d8ee81c1d8a105b413416540f4d4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:23:43Z",
            "versions": [
                "999.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @helpcentre/tesco-help

Package

Name
@helpcentre/tesco-help
View open source insights on deps.dev
Purl
pkg:npm/%40helpcentre%2Ftesco-help

Affected ranges

Affected versions

999.*
999.0.0

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "9de09d66735ef7b0e390f9e2511369d7070b2f26c55b6a56b08d5d77a741382a",
            "tlsh": "71d095f745b4c246a76c02c4d071134af167d224e45c4470dc3244dd0f008903150c71"
        },
        {
            "path": "package.json",
            "sha256": "a767c6e19465bc4a39b8e0a9d9975fcfcb912c6de678758fdfa1e1f12db6886d",
            "tlsh": "30c02b744c028b3338cc13c50c34900d6332ce3f0144541c0ac3004542caab698efb0c"
        }
    ],
    "package_integrity": [
        {
            "filename": "tesco-help-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-rnXKswH1o7oRwy+6VmrRI0E5PO9CI4hy1QxxygGF7GKXNoKBWDBIHV3KAs0LnFtm33dHp4/R32zt/NqhpZJmVg==",
                "sha1": "cc77dbcf3ec8043d992d7034d04ec06532ecc172"
            }
        }
    ],
    "domains": [
        "f1ackavab3.execute-api.eu-west-2.amazonaws.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@helpcentre/tesco-help/MAL-2026-5521.json"