MAL-2026-5571

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qa-handoff/MAL-2026-5571.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5571

Published

2026-06-11T04:36:36Z

Modified

2026-06-11T05:46:31.490506506Z

Summary

Malicious code in qa-handoff (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851)

On npm install, the package automatically executes lib/_setup.js via the postinstall lifecycle hook. The script spawns a detached Node process that collects host identifiers (hostname, username, platform, architecture, IPv4 addresses, current working directory, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS POSTs that payload to a hardcoded DingTalk bot webhook (oapi.dingtalk.com/robot/send) using an embedded access token. Before sending, the script checks whether the username or hostname contains any of 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', 'sample' and silently skips the beacon if so — explicit sandbox/analyst evasion that confirms malicious intent. The pattern matches the canonical dependency-confusion reconnaissance beacon used to fingerprint internal CI/build environments for follow-on attacks.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005459",
            "versions": [
                "0.13.0"
            ],
            "sha256": "4939e56124668b7d03f9e2a96dfbfedba53e24aaa5d2190e298547e724b1f851",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:36:36Z",
            "import_time": "2026-06-11T05:40:57.04234684Z"
        }
    ]
}

References

https://www.npmjs.com/package/qa-handoff/v/0.13.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / qa-handoff

Package

Name: qa-handoff; View open source insights on deps.dev
Purl: pkg:npm/qa-handoff

Affected ranges

Affected versions

0.*

0.13.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "lib/_setup.js",
            "sha256": "fafd500b1f711d0340598f3c893d6c8ab130481558d4a7cac34c59845ff5609c",
            "tlsh": "6d41b5e670a57638177c85c290820016da57e2223583f8e0fc2c41d65bc78fa9af193e"
        }
    ],
    "package_integrity": [
        {
            "filename": "qa-handoff-0.13.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-DBxX6M0kIuaBo9D4e9HbeK2nO1f4MTUOVhZr6xe0sNxp2x94z70HzmwPEiIw8hGoKWxoOFBYxHt1d7gf2sYXgg==",
                "sha1": "38b1bd930cd7dca5d126356b07432ad360783205"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qa-handoff/MAL-2026-5571.json"