MAL-2026-5742
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axl-ui/MAL-2026-5742.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5742
- Published
- 2026-06-13T20:11:39Z
- Modified
- 2026-06-13T20:46:41.344764019Z
- Summary
- Malicious code in axl-ui (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (6fbc071f0ee6323c87fa6be049a9b151217f7146605ef89b4494f7ef07e7d534)
axl-ui@9.9.99 is a dependency-confusion squat targeting an internal package name. package.json declares a postinstall hook (
node beacon.js) that fires automatically onnpm install. beacon.js readsos.hostname()and transmits it to a hardcoded Burp Collaborator out-of-band host (tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com) via two channels: a DNS lookup of<nonce>.host.<collaborator>and an HTTPS POST with JSON body{pkg, nonce, host}. The version number 9.9.99 and the self-described "internal placeholder" description are the canonical dependency-confusion shape: any private build that resolvesaxl-uifrom public npm will execute the beacon and leak the host identity to the attacker. Even if framed as a research proof-of-concept, the harm to installers is real — installer-side data leaves the build machine to an attacker-controlled endpoint without consent.Source: ossf-package-analysis (aca109fdc13102e60179b8d6c63a996da233e4910b6260da8838df727f33a64f)
The OpenSSF Package Analysis project identified 'axl-ui' @ 9.9.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006367", "versions": [ "9.9.99" ], "sha256": "6fbc071f0ee6323c87fa6be049a9b151217f7146605ef89b4494f7ef07e7d534", "source": "amazon-inspector", "modified_time": "2026-06-13T20:11:39Z", "import_time": "2026-06-13T20:33:18.334645691Z" }, { "id": "IN-MAL-2026-006368", "versions": [ "9.9.99" ], "sha256": "d1e69c230413d89069c5925f28b54066565427ccea31208d53820f2f8be0dc33", "source": "amazon-inspector", "modified_time": "2026-06-13T20:11:39Z", "import_time": "2026-06-13T20:33:18.398820066Z" }, { "versions": [ "9.9.99" ], "sha256": "aca109fdc13102e60179b8d6c63a996da233e4910b6260da8838df727f33a64f", "source": "ossf-package-analysis", "modified_time": "2026-06-13T20:13:39Z", "import_time": "2026-06-13T20:33:16.986865896Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / axl-ui
Package
- Name
- axl-ui
- View open source insights on deps.dev
- Purl
- pkg:npm/axl-ui
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/axl-ui/MAL-2026-5742.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "beacon.js",
"sha256": "9ebb23782d5e21ad79534b040abd8426aeff2e4b0fa5938c0efb906b20cf8f88",
"tlsh": "bb21baff94a9a1413fa675c4d26f32751113e2618285cfe0f4afd2692f9853942a24fc"
},
{
"path": "package.json",
"sha256": "791fc05e5c866262d82810d13165b5087a2cacb8a25543e94b654c2621a3553f",
"tlsh": "4cd023908d119b7330c44b6d4c72d50e35b14d5f112cb4084f83110032ddbf344ba24f"
}
],
"package_integrity": [
{
"filename": "axl-ui-9.9.99.tgz",
"hashes": {
"sha512_sri": "sha512-Tr/wK2YK8VCXrogIjyPfrJn68SR7G3YTFmGGXFbE/pV4hrZ2+e81MHac9NYbXY4y9LvUm5ruqHHGyvMNcpo1QQ==",
"sha1": "e151ea59792af6b980186905e75d80797fde9c16"
}
}
],
"domains": [
"4f02330e.scan-2bb16be6a3fc.tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com",
"tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com"
]
}