MAL-2026-5780

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ing-feat-itsme-oidc-authentication/MAL-2026-5780.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5780

Published

2026-06-15T15:10:24Z

Modified

2026-06-15T15:46:47.530478843Z

Summary

Malicious code in ing-feat-itsme-oidc-authentication (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5)

On npm install, package.json's preinstall hook executes poc.js, which collects os.hostname(), os.userInfo().username, process.cwd(), and process.platform, base64-encodes the values, and issues an HTTPS GET to https://d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live/cb?id=<token>&d=<b64> — sending installer host, user, working directory, and platform to an external Burp Collaborator / interactsh subdomain without consent. The package is named to mimic an internal ING Bank namespace and pinned to version 99.99.99 to win resolution in dependency-confusion scenarios. Any developer or CI environment that resolves this name leaks identifying host data to an attacker-controlled collaborator endpoint. This matches the textbook dependency-confusion exfiltration pattern regardless of any authorization claim made by the author.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006490",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:10:24Z",
            "import_time": "2026-06-15T15:30:22.483059557Z",
            "sha256": "175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5",
            "versions": [
                "99.99.99"
            ]
        },
        {
            "id": "IN-MAL-2026-006491",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:10:25Z",
            "sha256": "1a856d57687500c13a5582ce21b881745336d65d4aa952ca939a301876d65b23",
            "versions": [
                "99.99.99"
            ],
            "import_time": "2026-06-15T15:30:22.610684557Z"
        }
    ]
}

References

https://www.npmjs.com/package/ing-feat-itsme-oidc-authentication/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ing-feat-itsme-oidc-authentication

Package

Name: ing-feat-itsme-oidc-authentication; View open source insights on deps.dev
Purl: pkg:npm/ing-feat-itsme-oidc-authentication

Affected ranges

Affected versions

99.*

99.99.99

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ing-feat-itsme-oidc-authentication/MAL-2026-5780.json"

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "ips": [
        "178.128.210.172"
    ],
    "domains": [
        "d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live"
    ],
    "evidence_files": [
        {
            "path": "poc.js",
            "sha256": "026c9331347569ea2c351a3cc07472b65150cca25cd0aefc32d4680563b7092c",
            "tlsh": "da0165b243f9d618155164c33743de7a500195042c93a0d4fa3d0200dfe27388373bf8"
        },
        {
            "path": "package.json",
            "sha256": "7d6a50657acc399c345f0f29ab3312db361a7b0df8cc390f71f4679849006164",
            "tlsh": "4fd0a7296d41e57728d10fe2496aa16631b08d6e5e5670485783902d54cabf393bb30f"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-GK831PdK9oM2PCopvWeZoCmXGMkr4naQvGR2qoXXke4no1dQ3z/JZYmFg6QSyakRlO4OzcerIcc+d86DEQTQ0A==",
                "sha1": "b2888ae0eff2ec66c9429a66ba05030d16609ec3"
            },
            "filename": "ing-feat-itsme-oidc-authentication-99.99.99.tgz"
        }
    ]
}