MAL-2026-5537

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@entos-ems/xerxes-client-js/MAL-2026-5537.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5537

Published

2026-06-11T00:28:51Z

Modified

2026-06-11T01:31:29.459934839Z

Summary

Malicious code in @entos-ems/xerxes-client-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b)

On npm install, package.json's preinstall: node index.js hook fires automatically and runs a reconnaissance beacon. index.js collects host identifiers (os.hostname(), process.platform, arch, home directory, username/uid/gid/shell, OS info, cwd) and the output of shell commands whoami and id (executed via child_process.exec), then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at https://98fmeiqizlsgqr14stq21w67ryxplf94.oastify.com/detox56. The package targets the @entos-ems scope and ships no functional client code, consistent with a dependency-confusion attack against an internal namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005345",
            "versions": [
                "10.10.11"
            ],
            "sha256": "25a156d732567a2f4eca4a4849010db272343081273510e91260e703580ac1c1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T00:28:52Z",
            "import_time": "2026-06-11T01:21:50.723954553Z"
        },
        {
            "id": "IN-MAL-2026-005344",
            "versions": [
                "10.10.11"
            ],
            "sha256": "5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T00:28:51Z",
            "import_time": "2026-06-11T01:21:50.674292003Z"
        }
    ]
}

References

https://www.npmjs.com/package/@entos-ems/xerxes-client-js/v/10.10.11

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @entos-ems/xerxes-client-js

Package

Name: @entos-ems/xerxes-client-js; View open source insights on deps.dev
Purl: pkg:npm/%40entos-ems%2Fxerxes-client-js

Affected ranges

Affected versions

10.*

10.10.11

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "24edacb8a2bae24c796255f7d4047a1e3118052e31189251a97f0362e0c9bd0f",
            "tlsh": "cb5141c515f65a241ba7b8494a4f9002a327e003350ade55bfcc8740af9937c9bf0bf6"
        }
    ],
    "package_integrity": [
        {
            "filename": "xerxes-client-js-10.10.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-niVy5zUg0qX4HNtGE+10u71SW4c0hv81qs/Cdrzl5gHbKIEo+vF7YIfpRnrfVic+MRnMWhkV+iNplcOBVJ1D4Q==",
                "sha1": "a5b45702b8eb03b258e1aa554c35c4f22792a8ae"
            }
        }
    ],
    "domains": [
        "98fmeiqizlsgqr14stq21w67ryxplf94.oastify.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@entos-ems/xerxes-client-js/MAL-2026-5537.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]