MAL-2026-5777

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/field-plus/MAL-2026-5777.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5777

Published

2026-06-15T15:10:39Z

Modified

2026-06-15T15:46:47.218771054Z

Summary

Malicious code in field-plus (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c)

package.json declares both preinstall and postinstall scripts that run curl against a hardcoded bare-IP HTTP endpoint (http://3.7.226.146:9000/callback), sending the installer's username ($(whoami)), hostname ($(hostname)), current working directory ($(pwd)), and a timestamp as query-string parameters. Output is suppressed and errors swallowed with || true so the beacon stays silent during npm install. The tarball ships only package.json — main: index.js is declared but not present — so the package has no library functionality; its sole effect on installation is the identity beacon. Version 99.99.1 plus the description "testing field plus" is the canonical shape of a dependency-confusion / namespace-squat probe used to identify which organizations resolve an internal-named package from the public registry.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0112dc4801bb261e86a2f68d5fd49b6c955bb4e82f872c72e61e49cc638ca91c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:10:39Z",
            "versions": [
                "99.99.1"
            ],
            "id": "IN-MAL-2026-006492",
            "import_time": "2026-06-15T15:30:22.72618569Z"
        },
        {
            "sha256": "da1412d0ba61cadb9c28005b754fac70658159c6671eb92bb66bcc5ffa43d285",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:10:46Z",
            "id": "IN-MAL-2026-006493",
            "versions": [
                "99.99.2"
            ],
            "import_time": "2026-06-15T15:30:22.880616307Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / field-plus

Package

Name: field-plus; View open source insights on deps.dev
Purl: pkg:npm/field-plus

Affected ranges

Affected versions

99.*

99.99.1

99.99.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/field-plus/MAL-2026-5777.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "963a826668201501c1872a1aedaf95520fa811aa8095b3fb3f1ee28b38ece30c",
            "tlsh": "1df059147424db333fc0ce6a2955c30b66953f538e147908f3a344197a5d57322ae62e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-SWMGAhx/1mvVCgOkMzOf4t4lURHVq5+cXZGq8BCDa5fxSj5w3SV2R/Lgl4rsMX3uicSsdniYIxJro0I5HTwX7A==",
                "sha1": "5bd564cd142e1e846f33f774984800ddbcb67b5f"
            },
            "filename": "field-plus-99.99.1.tgz"
        }
    ]
}