MAL-2026-5533

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@coze-common/chat-area/MAL-2026-5533.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5533

Published

2026-06-10T23:33:27Z

Modified

2026-06-11T00:16:29.446288351Z

Summary

Malicious code in @coze-common/chat-area (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04)

This package is a dependency-confusion/namespace-squat against ByteDance's @coze-common scope. The library is hollow — index.js is module.exports = {} and the description ('Browser accessibility and security utilities for React') does not match the package name. The harm runs at install time: package.json declares postinstall: node postinstall.js, and postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a recursive directory listing of the install working directory, base64-encodes the JSON payload, and POSTs it to https://wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun/ via https.request. A DNS covert channel (dns.lookup of a hex-encoded hostname+username subdomain under the same oast.fun host) is used as fallback to bypass HTTP egress filters. oast.fun is Interactsh out-of-band infrastructure used for reconnaissance against the installer's machine; the version 99.1.1 is the shadowing pattern used to win dependency-confusion resolution against the legitimate private @coze-common scope.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005312",
            "import_time": "2026-06-11T00:00:57.489177544Z",
            "sha256": "89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:33:27Z",
            "versions": [
                "99.1.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005313",
            "import_time": "2026-06-11T00:00:57.581431902Z",
            "sha256": "cbfda63254e85169b3209df4260781e717ac5e9de9736408dfd4c3e9e258fd1e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:33:27Z",
            "versions": [
                "99.1.1"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@coze-common/chat-area/v/99.1.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @coze-common/chat-area

Package

Name: @coze-common/chat-area; View open source insights on deps.dev
Purl: pkg:npm/%40coze-common%2Fchat-area

Affected ranges

Affected versions

99.*

99.1.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "85d8ccbea0336fc399ba5cb07064cc559680704290051c5216bd9d64f3108563",
            "tlsh": "4c3174e112f5e2205b7be0c4f97a9c569167e203710bede0f64c02651fc55b455b24f8"
        },
        {
            "path": "package.json",
            "sha256": "1d1c15d1a3081ea30b6472d29ba97f394b24b0b286da0be4915784253cdb7fbd",
            "tlsh": "7be0c2314a1497232dc892aa0827514b7a755e1b00587d3c2ba79194538f7ba44bf2ae"
        }
    ],
    "package_integrity": [
        {
            "filename": "chat-area-99.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1JN5tTe5zpJsaMbV6IquC9mZEhQXVMg7AK7vXZbpILTxrGWR0uscdQwZnwiE1h47/3nQEVwcFbLE28pPy2m+mQ==",
                "sha1": "4fb8f8e6282686f52e6fcc7d485072f4b5614129"
            }
        }
    ],
    "domains": [
        "7363616e2d6561386561316232653365332e7363616e.wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun",
        "wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@coze-common/chat-area/MAL-2026-5533.json"