-= Per source details. Do not edit below this line.=-
On npm install, the package's postinstall.js collects os.hostname() and os.userInfo().username and embeds them as query-string parameters in a plaintext HTTP GET to a hardcoded bare IP (http://161.97.149.48/skybackground.png?display=<hostname>&profile=<username>). The fetch is dressed up as an 'image download' but the identifying data is in the URL the server logs, giving the operator a per-install fingerprint of every machine that installs the package. The download path also follows 301/302 redirects to attacker-chosen Locations and writes the server's response body to./downloaded-image.jpg with no content-type validation, providing staging infrastructure alongside the beacon. Cover-story signals corroborate intent: package.json describes an 'image downloader CLI' with placeholder author 'Your Name', README.md advertises an unrelated 'Simple Text Utils' API (capitalize/reverse/wordCount) that the code does not implement, and index.js exports only downloadImage. The advertised purpose, README, and shipped code disagree — the consistent behavior across all three is the install-time phone-home.
{
"malicious-packages-origins": [
{
"versions": [
"10.0.3"
],
"sha256": "5c2701b0b360af9ff8d06c12dcfaba8fbeff8840d1d7c56ce600a7ae8c5f1ffb",
"modified_time": "2026-06-11T13:23:58Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T13:27:21.388259152Z",
"id": "IN-MAL-2026-005746"
},
{
"versions": [
"10.0.2"
],
"sha256": "78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8",
"modified_time": "2026-06-11T13:24:02Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005747",
"import_time": "2026-06-11T13:27:21.417288346Z"
},
{
"versions": [
"10.0.1"
],
"sha256": "baccf68297f0f532fddbf8186c16935ec20b3f30a749c5f0acdc5b0647567c76",
"modified_time": "2026-06-11T13:23:56Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005745",
"import_time": "2026-06-11T13:27:21.301846096Z"
}
]
}{
"package_integrity": [
{
"filename": "unified-ui-components-library-10.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-aoAmrS8+YCBekWnvxVBddHf1O5gnZat0nVvnib06P9kN3Rzv+cJkyYVorhRAFDyL/EuK3JyW/t6PfvajUsqeBw==",
"sha1": "6e133836325c29a1e602b5689462e58c1eb4bc11"
}
}
],
"evidence_files": [
{
"sha256": "e2e4d144ce9269f1cbc6cc4d048d26acf573c258d4a656f61075635c9138e099",
"path": "postinstall.js",
"tlsh": "a251537519f351393237e0ad7f5b592ab2577403318dcb04358c71015fceaa486aa3bb"
},
{
"sha256": "832350de287279bc69ad0e99185909518947f0f22a07f8526be86731552f4d22",
"path": "package.json",
"tlsh": "71e0ab1d89206e1335c80a982d5b190af25509470148bd0837e7006c0bae23f207e25f"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unified-ui-components-library/MAL-2026-5648.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]