MAL-2026-5746
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xy-shared/MAL-2026-5746.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5746
- Published
- 2026-06-13T20:10:25Z
- Modified
- 2026-06-13T20:46:41.360762989Z
- Summary
- Malicious code in xy-shared (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25)
package.json wires both preinstall and postinstall to
node callback.js, which auto-executes onnpm install. callback.js collects username, uid/gid, hostname, home directory, cwd, local network interfaces, and the external IP (fetched from api.ipify.org). It enumerates CI metadata (GITHUBREPOSITORY, GITHUBACTOR, GITLABUSERLOGIN, JENKINSURL, BUILDNUMBER, etc.) and probes for the presence of AWSACCESSKEYID, GITHUBTOKEN, NPMTOKEN, and DOCKERPASSWORD in the environment. The aggregated JSON is POSTed to a hardcoded Discord webhook (discord.com/api/webhooks/1515440532359352331/...). A secondary covert channel base64-encodes package name, username, hostname, and a timestamp into a DNS subdomain and issues adns.resolvequery to leak the data when HTTP egress is restricted. The package is published at version 999.0.0 under a generic shared-library name — the canonical dependency-confusion shape designed to outrank internalxy-sharedpackages in resolvers that mix public and private registries. Self-described 'PoC' framing does not change the installer-side impact: any build that resolves this package leaks identity and CI-secret-presence flags to an attacker-controlled endpoint. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006364", "import_time": "2026-06-13T20:33:18.212589581Z", "sha256": "d631443367624273d8b7d3347b2e173a72f3f7447424f25424dab8e68c4b1a25", "source": "amazon-inspector", "modified_time": "2026-06-13T20:10:25Z", "versions": [ "999.0.0" ] }, { "id": "IN-MAL-2026-006365", "import_time": "2026-06-13T20:33:18.238585648Z", "sha256": "dce85557643b0c4f8c9657100700bfb7ba8384da7bbc6ef44b907edf3b5db11e", "source": "amazon-inspector", "modified_time": "2026-06-13T20:10:25Z", "versions": [ "999.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / xy-shared
Package
- Name
- xy-shared
- View open source insights on deps.dev
- Purl
- pkg:npm/xy-shared
Database specific
indicators
{
"evidence_files": [
{
"path": "callback.js",
"sha256": "ddce4d44730496bce729312531ca761103b8eb0e3063155487d70896a2930edd",
"tlsh": "4b12d9a566b1561005a347902a0fa416327af1572756deb0bb9c43182fc1b3c93f2efa"
},
{
"path": "package.json",
"sha256": "5e568b26c783fba8f396c76b696e15cffb556f11d60f708142930c9ac84676f0",
"tlsh": "16e0682458255d333cd08aeb042a631a2020dd0b141c3c087b630198a38ebb75aba29e"
}
],
"package_integrity": [
{
"filename": "xy-shared-999.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-ZGkvBJnz+NkoPJEfeoemyhPQRPcz6l/cbsVGwxKYSXTB//7i+s9f2LuZr0s5ZswzIQKm1hxqXKdLfwrbGEzx1g==",
"sha1": "f8ce83c71968a70a297a105967aa0bb2dcd09ff2"
}
}
],
"ips": [
"172.67.74.152",
"104.26.13.205",
"162.159.138.232",
"162.159.137.232",
"104.26.12.205",
"162.159.135.232"
],
"domains": [
"api.ipify.org",
"discord.com",
"eyjwijoiehktc2hhcmvkiiwidsi6innjyw4ilcjoijoic2nhbi.discord.com"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xy-shared/MAL-2026-5746.json"