MAL-2026-5745

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oa-crm-webapi/MAL-2026-5745.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5745
Published
2026-06-13T20:11:58Z
Modified
2026-06-13T20:46:41.201051489Z
Summary
Malicious code in oa-crm-webapi (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1)

oa-crm-webapi@9.9.99 is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook (node beacon.js) which fires automatically on npm install. beacon.js reads os.hostname() and transmits it to the attacker-controlled Burp Collaborator host yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com via two channels: a DNS lookup of <nonce>.<hostname>.<collaborator-host> (out-of-band DNS exfil) and an HTTPS POST to the same host with the hostname in the body. The 9.9.99 version + generic 'internal placeholder' description is the canonical shape used to hijack private package names by overriding the legitimate internal registry resolution. A successful install both proves code execution on the installer and leaks the internal hostname to an external attacker.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006371",
            "versions": [
                "9.9.99"
            ],
            "sha256": "00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:11:58Z",
            "import_time": "2026-06-13T20:33:18.623864738Z"
        },
        {
            "id": "IN-MAL-2026-006372",
            "versions": [
                "9.9.99"
            ],
            "sha256": "b79727b87504bf711bab8101367dab95ab032fbad7b30737cef3852f4317e36c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:11:59Z",
            "import_time": "2026-06-13T20:33:18.697504403Z"
        }
    ]
}
References
Credits

Affected packages

npm / oa-crm-webapi

Package

Name
oa-crm-webapi
View open source insights on deps.dev
Purl
pkg:npm/oa-crm-webapi

Affected ranges

Affected versions

9.*
9.9.99

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oa-crm-webapi/MAL-2026-5745.json"
indicators 
{
    "evidence_files": [
        {
            "path": "beacon.js",
            "sha256": "6ce93adae86d974552f118d547288143808391bac5bfb5c47474ad01dee81e33",
            "tlsh": "fb21c8ff50a8a2823fa775c5d26f23661113d1728281cfe0f4afd2655f9863942628fc"
        }
    ],
    "package_integrity": [
        {
            "filename": "oa-crm-webapi-9.9.99.tgz",
            "hashes": {
                "sha512_sri": "sha512-aT766b83Eym4j2tN/nvPusor2nhhoL/tKvI36NT6S3L4fFCH+FjjzMr39pciYXRHGl3MvIHtUiZhdSb9ile5Hg==",
                "sha1": "f9cc22e6aaa2c4ae6c713a933fb5a150de87bbc1"
            }
        }
    ],
    "domains": [
        "1599f37b.scan-c13bd1511a00.yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com",
        "yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com"
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]