MAL-2026-5697

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-model-bridge/MAL-2026-5697.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5697
Aliases
  • GHSA-69cw-2vc8-9jm7
Published
2026-06-12T15:24:48Z
Modified
2026-06-16T01:46:46.984808286Z
Summary
Malicious code in web-model-bridge (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893)

On npm install, postinstall.js sends an HTTPS POST to https://ddactic-lab.online/sc/beacon carrying the package name/version, Node version, OS, CI-detection result, and the GITHUBREPOSITORY, GITHUBREPOSITORYOWNER, and GITHUBWORKFLOW environment variables when present. A DNS-lookup fallback encodes the same identifiers as a subdomain under *.b.ddactic-lab.online so the leak still completes even when HTTP egress is filtered — a pattern intended specifically to defeat egress controls. The package itself is a hollow placeholder: package.json describes it as an npm 404 error reference and index.js does nothing but require('web-model-bridge') (its own name) inside a try/catch, so the only effect of installing it is the install-time beacon. Any CI pipeline whose dependency tree references this name will leak the owning GitHub org/repo/workflow identity to an unrelated third-party domain on every build.

Source: ghsa-malware (8ce6eba68a26a38f2702f3d378b5302c82744be39e2bba6a8ad39b21d8267a80)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "9999.99.99"
            ],
            "sha256": "14168589320a79c49b3c70ac3698ae673609824ecff707dc60fe0d04ad789003",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T15:24:49Z",
            "import_time": "2026-06-12T16:32:14.246273208Z",
            "id": "IN-MAL-2026-005753"
        },
        {
            "versions": [
                "9999.99.99"
            ],
            "sha256": "3d2c385c177531c421e5a49f41d931890a48c16c921b23cc20f2bf4cd8fae893",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T15:24:48Z",
            "import_time": "2026-06-12T16:32:14.210705166Z",
            "id": "IN-MAL-2026-005752"
        },
        {
            "sha256": "8ce6eba68a26a38f2702f3d378b5302c82744be39e2bba6a8ad39b21d8267a80",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-15T23:55:05Z",
            "source": "ghsa-malware",
            "id": "GHSA-69cw-2vc8-9jm7",
            "import_time": "2026-06-16T01:31:34.706967011Z"
        }
    ]
}
References
Credits

Affected packages

npm / web-model-bridge

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9999.*
9999.99.99

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "web-model-bridge-9999.99.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-cWjsGDhHa7W1GixFg+ZRsPjXhJyUJsDZxMqWui3EndeRjzePWU91tCvLxRAXhgRn24E9fvT8PhGTRJL5pI4lxg==",
                "sha1": "7dea28e4538a5f6e9d81fddf29bd4333dbb6eef7"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8",
            "path": "postinstall.js",
            "tlsh": "e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf"
        },
        {
            "sha256": "3e11f76897c452be2339274b37b9f663353607554ec58ede413a1ffa5942d439",
            "path": "package.json",
            "tlsh": "c7f05c004f705a631dd836a7ac2b31ca77360d8bc4887c08a7d7001c4b4e9eb80bf21e"
        }
    ],
    "domains": [
        "web-model-bridge.none.061132c5.b.ddactic-lab.online",
        "web-model-bridge.none.061132c5.b.ddactic-lab.online.ec2.internal",
        "ddactic-lab.online"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-model-bridge/MAL-2026-5697.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]