MAL-2026-5696

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/voyager-web/MAL-2026-5696.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5696
Published
2026-06-12T15:24:53Z
Modified
2026-06-12T16:46:41.570994583Z
Summary
Malicious code in voyager-web (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8)

package.json declares both preinstall and postinstall lifecycle hooks that execute callback.js on npm install. callback.js collects installer-side identifiers (os.hostname(), username, uid/gid, homedir, platform, cwd, local IP, external IP via https://api.ipify.org, Node version, package name) and CI environment indicators (presence of GITHUBTOKEN/AWSACCESSKEYID/NPMTOKEN, GITHUBREPOSITORY, GITHUBACTOR, JENKINSURL, etc.) and POSTs the JSON payload to a hardcoded Discord webhook at discord.com/api/webhooks/1514602063399747595/<redacted>. A DNS-based exfiltration fallback is also present. The package name typosquats Reddit's open-source voyager-web and the version 999.0.0 is the canonical dependency-confusion version-bump used to override an internal/private package of the same name. Self-described as a security research PoC, but the binary effect on any non-consenting installer is automatic exfiltration of host and CI credentials/metadata to an attacker-controlled channel.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005754",
            "import_time": "2026-06-12T16:32:14.281595828Z",
            "sha256": "a7f4f15201378ec6cee4268469e85e17e50f3f5299d94a250031d6c2693177b8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T15:24:53Z",
            "versions": [
                "999.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-005755",
            "import_time": "2026-06-12T16:32:14.312971908Z",
            "sha256": "cd454026393d34f4e4a60de90626f8d54fa579915e993e0d7c4297b35b8bc2b9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T15:24:53Z",
            "versions": [
                "999.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / voyager-web

Package

Name
voyager-web
View open source insights on deps.dev
Purl
pkg:npm/voyager-web

Affected ranges

Affected versions

999.*
999.0.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/voyager-web/MAL-2026-5696.json"
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "callback.js",
            "sha256": "2c40fe0264025fbd140ad245dbc08de6241e75e431b61e3c930a5172c1e2c492",
            "tlsh": "8412c9a566f1121005a34794261fa416327af1572756deb0fbac43182fd1b3c93f2efa"
        },
        {
            "path": "package.json",
            "sha256": "564c447ba862afd945e36c320853f7627291d0af19ab407a7d7a689818a380f6",
            "tlsh": "78e0681458255a333cd48bea042a631a2020de0b541c3d097b630188d38ebb74aba2de"
        }
    ],
    "package_integrity": [
        {
            "filename": "voyager-web-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-+uRvrXdAsKvLIGvZPRE2z3KdfqprCTNQxIotDbQmX0rqjoh28II6pI5VO++xT+Y3PiVNkJ1r6+7pl+7OtBL/5w==",
                "sha1": "b5b3950f09007628c4702e40d2b34a3071894690"
            }
        }
    ],
    "domains": [
        "discord.com",
        "eyjwijoidm95ywdlci13zwiilcj1ijoic2nhbiisimgioijzy2.discord.com",
        "api.ipify.org"
    ]
}