MAL-2026-5540
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@monitoring-lib/error-tracking/MAL-2026-5540.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5540
- Published
- 2026-06-11T01:22:04Z
- Modified
- 2026-06-11T02:31:32.189436159Z
- Summary
- Malicious code in @monitoring-lib/error-tracking (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d)
On
npm install, thepreinstalllifecycle hook in package.json runs a Node one-liner that reads the installer's hostname (os.hostname()) and username (os.userInfo().username) and transmits them to an attacker-controlled Interactsh/OAST callback domain via two channels: an HTTPS GET request tohttps://d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site/?h=<hostname>&u=<username>and a DNS lookup ofmonitoring-lib.<hostname>.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site. The package name uses a generic scope (@monitoring-lib) that does not correspond to a known publisher, and the version number9999.0.0is the canonical shape of a dependency-confusion attack — a public registry upload designed to override an organization's internal package of the same name. Combined, the package is a supply-chain recon beacon: any installer that resolves to this version leaks its host identity to the attacker, identifying victims whose private-registry configurations failed.Source: ossf-package-analysis (160b44403dfdcc6f9b6a3390ac9d1a2a55ed88c8a3cfd660850d573a89682453)
The OpenSSF Package Analysis project identified '@monitoring-lib/error-tracking' @ 9999.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005362", "versions": [ "9999.0.0" ], "sha256": "491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d", "source": "amazon-inspector", "modified_time": "2026-06-11T01:48:11Z", "import_time": "2026-06-11T02:24:27.854737577Z" }, { "id": "IN-MAL-2026-005363", "versions": [ "9999.0.0" ], "sha256": "8100d54eed6cb854340b403b4d22c6b2c4a6abc7780fc1a94c00e1d4a5404625", "source": "amazon-inspector", "modified_time": "2026-06-11T01:48:12Z", "import_time": "2026-06-11T02:24:27.905843345Z" }, { "versions": [ "9999.0.0" ], "sha256": "160b44403dfdcc6f9b6a3390ac9d1a2a55ed88c8a3cfd660850d573a89682453", "source": "ossf-package-analysis", "modified_time": "2026-06-11T01:22:04Z", "import_time": "2026-06-11T02:24:24.741689959Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @monitoring-lib/error-tracking
Package
- Name
- @monitoring-lib/error-tracking
- View open source insights on deps.dev
- Purl
- pkg:npm/%40monitoring-lib%2Ferror-tracking
Database specific
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "ef769e339f69d0587da8b112dbf3b827aaaca128564f808bed29ade70e9bcf43",
"tlsh": "5df0c0b4858090235fe8208807aa610da2c68f0ab16e0c13dde255e743c45f67f76131"
}
],
"package_integrity": [
{
"filename": "error-tracking-9999.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-WShghcdrbPfixkkWgI7ieefxTRESW8w8f/saqVXwrevCrH5ZRnf4kU+Hr+cvhx6i2miMraPU5lpiNaJML+WxLw==",
"sha1": "f677dc4bbe961186740398b74581a1043f25f1c3"
}
}
],
"domains": [
"d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site",
"monitoring-lib.scan-99456db80cc7.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@monitoring-lib/error-tracking/MAL-2026-5540.json"