MAL-2026-5736

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-stack-frames/MAL-2026-5736.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5736

Published

2026-06-13T07:00:10Z

Modified

2026-06-13T07:31:42.370949349Z

Summary

Malicious code in node-stack-frames (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158)

package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname(), os.platform(), and os.arch(), base64-encodes the result, and issues an HTTP GET to https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=<encoded>. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006317",
            "versions": [
                "4.0.0"
            ],
            "sha256": "5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:00:10Z",
            "import_time": "2026-06-13T07:25:39.32409473Z"
        },
        {
            "id": "IN-MAL-2026-006318",
            "import_time": "2026-06-13T07:25:39.386624699Z",
            "sha256": "eb14f033b6997244fdd890fbfacba9c82a164fd26a201cc39ee76408d70f208e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:00:10Z",
            "versions": [
                "4.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/node-stack-frames/v/4.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / node-stack-frames

Package

Name: node-stack-frames; View open source insights on deps.dev
Purl: pkg:npm/node-stack-frames

Affected ranges

Affected versions

4.*

4.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "c2eaf84a96b5d085868641e9926823208e8cb638fa21c7d27b19df9123b780a5",
            "tlsh": "92f0c6b04dd0de771ac648811ce14482f175f20f28457545dfc7005d079d87a95f76a5"
        }
    ],
    "package_integrity": [
        {
            "filename": "node-stack-frames-4.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-uuwE1BCNDtK0b1trymwgTuNdAUeJOAQISRRqeVv3r3iMTlYxpCwAIa5P8JIlBqRJjRvAf/3ouHY8F6yR+LDF1A==",
                "sha1": "9f2e1daa4df0f119b48e3a49985f33518f08046e"
            }
        }
    ],
    "ips": [
        "104.16.5.34",
        "10.1.0.2",
        "104.16.9.34"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-stack-frames/MAL-2026-5736.json"