MAL-2026-5582

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wp-env/MAL-2026-5582.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5582

Published

2026-06-11T05:05:53Z

Modified

2026-06-11T05:46:32.889405977Z

Summary

Malicious code in wp-env (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759)

Package squats the wp-env CLI name commonly invoked as npx wp-env by users intending @wordpress/env. The package ships only bin/run.js (declared main: index.js is absent from the tarball), so its sole execution surface is the bin script that fires when a developer runs npx wp-env. On execution, bin/run.js reads process.env.INIT_CWD, derives the basename of the installer's project directory, and POSTs it together with timestamp and package metadata to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/dc43de99-70fc-4782-8668-bec6eee1975b. The package self-describes as a 'Security PoC for Bug Bounty' — name-confusion attack against @wordpress/env combined with concrete installer-side data exfiltration (the project directory basename, sent to an attacker-controlled host that uses a per-target callback path to identify successfully-confused victims). This satisfies both the typosquat shape (≤2 char edit / namespace confusion vs. @wordpress/env's wp-env CLI) and a concrete exfil payload to an attacker-controlled destination.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005542",
            "versions": [
                "1.0.0"
            ],
            "sha256": "ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:05:53Z",
            "import_time": "2026-06-11T05:41:05.230251237Z"
        }
    ]
}

References

https://www.npmjs.com/package/wp-env/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / wp-env

Package

Name: wp-env; View open source insights on deps.dev
Purl: pkg:npm/wp-env

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "bin/run.js",
            "sha256": "5ea8406ede323122bb335e70b0e65aebff785200d764f45960e247bf8b051dd3",
            "tlsh": "0d2154906ae2573462ea1ad0995b9c0b7237b20b7e41f0a8b59c01882fc813c9573fce"
        },
        {
            "path": "package.json",
            "sha256": "a91c9861cdc3e93356e2895dd07f41df2b4f538003b7958ad1c85a555dac2626",
            "tlsh": "b7c0801c445ea403f645cffc5c7f5180513d073c3015c84808443058c0e67b57539344"
        }
    ],
    "package_integrity": [
        {
            "filename": "wp-env-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-pMysMCSVw6rnhECmKuJkTAUtl2vixnBAf0Ciz0OR9AFmYuBazKtZS5yLLuIjyEt4qI/H+lGzM7E7P500VfbBrQ==",
                "sha1": "fe1ea4418d6e656c58ec4cc1ae812085fccfaaa9"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wp-env/MAL-2026-5582.json"