MAL-2026-5622

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@whatnot-web/www-legacy/MAL-2026-5622.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5622

Published

2026-06-11T09:26:29Z

Modified

2026-06-11T13:46:36.904639519Z

Summary

Malicious code in @whatnot-web/www-legacy (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709)

@whatnot-web/www-legacy@99.1.1 is a dependency-confusion shell targeting the Whatnot org scope. The package ships an empty library (index.js exports {}), a generic description, blank author, and an inflated version (99.1.1) — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name. On npm install, postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a 2-level directory listing of the working directory, base64-encodes the JSON payload, and POSTs it via HTTPS to the hardcoded interactsh collector wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun. A hex-encoded DNS-lookup fallback to the same host is included to defeat HTTPS egress filtering. The collected information identifies internal build hosts and source-tree layouts and is suitable for staging follow-on attacks against the targeted organization.

Source: ossf-package-analysis (e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24)

The OpenSSF Package Analysis project identified '@whatnot-web/www-legacy' @ 99.1.2 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-11T09:36:26.034126411Z",
            "sha256": "e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-11T09:26:29Z",
            "versions": [
                "99.1.2"
            ]
        },
        {
            "id": "IN-MAL-2026-005732",
            "versions": [
                "99.1.1"
            ],
            "sha256": "21bb55bdbd36c38a976cea5f94cc8f67989823a769b8915fbe4d424e1ca3b9ae",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:05:30Z",
            "import_time": "2026-06-11T13:27:20.688400301Z"
        },
        {
            "id": "IN-MAL-2026-005731",
            "versions": [
                "99.1.1"
            ],
            "sha256": "3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:05:29Z",
            "import_time": "2026-06-11T13:27:20.607227625Z"
        },
        {
            "id": "IN-MAL-2026-005734",
            "import_time": "2026-06-11T13:27:20.823247294Z",
            "sha256": "488b42325004726d9ffc2fd1dda185146a8cc73a8e90052b881cdbee2545e30a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:05:39Z",
            "versions": [
                "99.1.2"
            ]
        },
        {
            "id": "IN-MAL-2026-005733",
            "import_time": "2026-06-11T13:27:20.765731134Z",
            "sha256": "a85d19d24a55723e8078d46f2cbfb3c49e1e3ef6f4f66f41f86da599d707a4e6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T13:05:38Z",
            "versions": [
                "99.1.2"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / @whatnot-web/www-legacy

Package

Name: @whatnot-web/www-legacy; View open source insights on deps.dev
Purl: pkg:npm/%40whatnot-web%2Fwww-legacy

Affected ranges

Affected versions

99.*

99.1.1

99.1.2

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "26a21da51540ea595013edc6a2263316ddac6721501329e2b7b9a0449b7fd7de",
            "tlsh": "8a3162e112f4e2205b7be0c4f97a9c569163e203710bede0f64d02651fc55b455b24f8"
        },
        {
            "path": "package.json",
            "sha256": "082fcfbbc170e884f0721c862ccc180f2c280b9b3a3485f958db7d21989509e4",
            "tlsh": "09e0c2354a1593236dd492ab1827514b7a754e070059693c2b974194838e2bb85fe3ad"
        }
    ],
    "package_integrity": [
        {
            "filename": "www-legacy-99.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-UdyI+xKpmGcW/Xe26/4ScPU2vOvPNHbaDhCe07g3DphwYX16EbgdZ7SbZpf4SaFUISGRGj2tR+X/AYp0WHxK+Q==",
                "sha1": "4148ed9b0761e0ec3730e411c6f92581256242a3"
            }
        }
    ],
    "domains": [
        "7363616e2d3962306432366661663235392e7363616e.wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun",
        "wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@whatnot-web/www-legacy/MAL-2026-5622.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]