MAL-2026-5572

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sendgrid-sdk/MAL-2026-5572.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5572

Published

2026-06-11T05:10:36Z

Modified

2026-06-11T08:01:32.631267517Z

Summary

Malicious code in sendgrid-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63)

Package impersonates the official SendGrid npm packages (@sendgrid/*) but ships no SDK functionality — index.js exports an empty object. Its sole purpose is a postinstall recon beacon. On npm install, postinstall.js collects extensive installer-side identifiers — hostname, reverse-DNS FQDN, OS user, USERPROFILE, Active Directory domain (USERDNSDOMAIN, USERDOMAIN, LOGONSERVER), proxy/VPN/ZScaler environment signals, OneDrive corporate flag, install working directory, and CI repository identifiers (GitHub/GitLab/CircleCI/Travis/Bitbucket/Azure/Jenkins URLs and npm registry) — and transmits them via plain HTTP GET to http://46.224.67.169:3000/ping with each field as a query parameter (pkg, addomain, fullpath, etc.). The combination of name impersonation, empty SDK surface, and unsolicited fingerprinting of corporate AD/CI environments to a bare-IP HTTP endpoint is recon staging for follow-on supply-chain or phishing attacks. README framing this as a "honeypot" does not constitute installer consent — the package is published to the public npm registry where any developer mistyping the SendGrid name will trigger the beacon.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005551",
            "import_time": "2026-06-11T05:41:06.184562851Z",
            "sha256": "df3992f84ee5a81eb1ad508d9fd6e2a0a51f8552056effe7dece155e1fdfd619",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:10:36Z",
            "versions": [
                "0.2.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005619",
            "versions": [
                "0.1.1"
            ],
            "sha256": "740af421012a33d5773d502ef2ac51f5697d2ec0baa0598a08afa722dd14e209",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:53Z",
            "import_time": "2026-06-11T07:49:33.3982726Z"
        },
        {
            "id": "IN-MAL-2026-005621",
            "versions": [
                "0.2.1"
            ],
            "sha256": "76af40b4d1204d2e756b8c339048795de2e130301b007f4495e08853371fe2ed",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:56Z",
            "import_time": "2026-06-11T07:49:33.600875714Z"
        },
        {
            "id": "IN-MAL-2026-005620",
            "import_time": "2026-06-11T07:49:33.483697699Z",
            "sha256": "7f23e6fb704388bb60fbae0ed2d4ad51bc2cabe671da387eed6f450951c708b2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:55Z",
            "versions": [
                "0.1.0"
            ]
        },
        {
            "id": "IN-MAL-2026-005624",
            "versions": [
                "0.2.0"
            ],
            "sha256": "a19a2f5792f568f4391d6ff89ab07575e238550f96b31c82afde532d4378cd94",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:58Z",
            "import_time": "2026-06-11T07:49:33.927827959Z"
        },
        {
            "id": "IN-MAL-2026-005622",
            "import_time": "2026-06-11T07:49:33.717452604Z",
            "sha256": "d1f3e67a6fb5063042d65f8123f4d2a8ae7ce481a022396e7285fe788342876d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:56Z",
            "versions": [
                "0.2.2"
            ]
        },
        {
            "id": "IN-MAL-2026-005626",
            "versions": [
                "0.1.3"
            ],
            "sha256": "e4474baa48b79c2fdb036376386c7b83ebd7720c690e330e4e84f957d6364bee",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:19:09Z",
            "import_time": "2026-06-11T07:49:34.119637969Z"
        },
        {
            "id": "IN-MAL-2026-005623",
            "import_time": "2026-06-11T07:49:33.825923384Z",
            "sha256": "08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:18:57Z",
            "versions": [
                "0.2.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005625",
            "import_time": "2026-06-11T07:49:34.026522344Z",
            "sha256": "25333dd5bc97c012a677a97b234e7f79e57c49239aa138949a2b9085a3829553",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:19:06Z",
            "versions": [
                "0.1.2"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / sendgrid-sdk

Package

Name: sendgrid-sdk; View open source insights on deps.dev
Purl: pkg:npm/sendgrid-sdk

Affected ranges

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "a5c2f07299786513a13027cafbdb7c19966e5b87329925e0fc2097b1b03d7c2e",
            "tlsh": "c2a1ff364f5545691beb211d972f740ea6bef01308a6da403eaca1942ff13931378ef5"
        },
        {
            "path": "package.json",
            "sha256": "d3fc9aa5b99c8d61188be3f463009642629b0f526321e53845b1f20f51d8473c",
            "tlsh": "cfe08c104b314e3378c8ab990d676909e9929c1785547c2d27af11988b9e37a98ff22e"
        }
    ],
    "package_integrity": [
        {
            "filename": "sendgrid-sdk-0.2.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-ZiZS2yFU7Qi1vzuvScReXbJQ8kju46FTi1ScJO5ejVAR2JJWssyoJ5ENFmq9TyXozhbvrryITVFFV9EgnBdXyw==",
                "sha1": "18ce2b97551f9c32bf4bbd4d22ebcaf538d06260"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sendgrid-sdk/MAL-2026-5572.json"