MAL-2026-5739

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_haha/MAL-2026-5739.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5739
Published
2026-06-13T07:19:44Z
Modified
2026-06-13T07:31:42.294353229Z
Summary
Malicious code in sheratan_haha (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd)

On npm install, the package's declared postinstall hook (node postinstall.js) runs whoami on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7) via https.request. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name sheratan_haha), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006360",
            "versions": [
                "1.0.1"
            ],
            "sha256": "5417b03a148421c99e85e5179f9911aadfe5ad30144fa4c3bf0eb1cbd8fc2160",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:19:45Z",
            "import_time": "2026-06-13T07:25:42.937796909Z"
        },
        {
            "id": "IN-MAL-2026-006361",
            "versions": [
                "1.0.0"
            ],
            "sha256": "6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:20:36Z",
            "import_time": "2026-06-13T07:25:42.98679707Z"
        },
        {
            "id": "IN-MAL-2026-006359",
            "versions": [
                "1.0.1"
            ],
            "sha256": "8425e7844278696c1b266519af201afa5e89ef4cf8fa0ad7da38a297fcdbbe2f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:19:44Z",
            "import_time": "2026-06-13T07:25:42.82928409Z"
        }
    ]
}
References
Credits

Affected packages

npm / sheratan_haha

Package

Name
sheratan_haha
View open source insights on deps.dev
Purl
pkg:npm/sheratan_haha

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "3b000e0e744ef8a80f1d503b690be975df0e2e6b75f6951cec18d57862e425ce",
            "tlsh": "a501bd824da235555bf1d6a0f1129608fb83c63ba431c7637bfe02692fe98a00011fdc"
        },
        {
            "path": "package.json",
            "sha256": "0d2fe6d8a937f7d5f6d8992fee001fb1082396e3162859a4d2e49c03e473adc0",
            "tlsh": "13e0c2158811a67313f467a9aa624517b9128f1e05388c0e71bb110c52936a344adf6a"
        }
    ],
    "package_integrity": [
        {
            "filename": "sheratan_haha-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-T8/iNS940hcKVvgU+DXmJ+nItmoCSvd5XXQk78bIUNovie+PqY65leyB+UpFvpDF6+K13d32lG/85RSkT9960A==",
                "sha1": "01a36a51354f57e9bd891f47bad06ffde816e5ec"
            }
        }
    ],
    "ips": [
        "178.63.67.153"
    ],
    "domains": [
        "webhook.site"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_haha/MAL-2026-5739.json"