MAL-2026-5747

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@giftyhq/widget-components/MAL-2026-5747.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5747
Published
2026-06-13T21:04:52Z
Modified
2026-06-13T21:46:45.606337828Z
Summary
Malicious code in @giftyhq/widget-components (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62)

package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data — os.hostname(), os.userInfo(), process.platform, uid/gid, shell, cwd, and the output of child_process.exec('whoami') and exec('id') — and POSTs the result as JSON to the hardcoded URL https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006397",
            "versions": [
                "19.12.11"
            ],
            "sha256": "8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:04:52Z",
            "import_time": "2026-06-13T21:32:33.126156917Z"
        },
        {
            "id": "IN-MAL-2026-006398",
            "versions": [
                "19.12.11"
            ],
            "sha256": "cbc5281f5eee9d9c1c78060b669e0228c72578f384f969d7773dc144a1e10157",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:04:52Z",
            "import_time": "2026-06-13T21:32:33.237021786Z"
        }
    ]
}
References
Credits

Affected packages

npm / @giftyhq/widget-components

Package

Name
@giftyhq/widget-components
View open source insights on deps.dev
Purl
pkg:npm/%40giftyhq%2Fwidget-components

Affected ranges

Affected versions

19.*
19.12.11

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "97144b8512332b532b56c06bde3b346c438a099353c39c1a085016bfb258b27a",
            "tlsh": "0e5140c515f65a241ba7b8494a4f9402a327e0033609ee55bfcc8740af9937c9bf0bf2"
        },
        {
            "path": "package.json",
            "sha256": "aa802b3eb93569b0776a4c4744057fe2e8f7fa6cc27aac3046467965b25acf04",
            "tlsh": "99d05e304e21653369c502a2082aa45762b18e6f5405bc0867dba82d82ce67798fb35d"
        }
    ],
    "package_integrity": [
        {
            "filename": "widget-components-19.12.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-KlZK3xviyngCfPKiDOZ/Wa/5wc2j6Dl+QyXHjdSkLBum1uhh34ffs5ZLFcF6NDp4Fyu+I+ntayk1asTrsiRZmQ==",
                "sha1": "a313c3e424481b1d9147fbe8c1f7f706ade082dc"
            }
        }
    ],
    "ips": [
        "54.77.139.23",
        "3.248.33.252"
    ],
    "domains": [
        "zad79wtflht20n15czfieir3quwlkb80.oastify.com"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@giftyhq/widget-components/MAL-2026-5747.json"