MAL-2026-5783

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vault-strategies/MAL-2026-5783.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5783

Published

2026-06-15T15:09:23Z

Modified

2026-06-15T15:46:46.611114656Z

Summary

Malicious code in vault-strategies (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6b7037d9efc65a0885cc000a92c46ea9bed2097d02c8fb2883ceaa3eb2fd5eeb)

On npm install, the package's preinstall hook (preinstall: node postinstall.js || true) executes postinstall.js, which enumerates process.env and filters keys with a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), bundles the matched values together with hostname, username, cwd, and npm configuration, and POSTs the payload over HTTPS to the hardcoded bare IP 185.130.46.35:8443/collect. Errors are swallowed via || true and try/catch so the exfiltration is silent. The version is published as 999.0.0 with description Internal package — the canonical dependency-confusion shape, designed to be auto-resolved over an organization's private vault-strategies package and fire the credential-harvest payload at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6b7037d9efc65a0885cc000a92c46ea9bed2097d02c8fb2883ceaa3eb2fd5eeb",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:09:23Z",
            "id": "IN-MAL-2026-006484",
            "versions": [
                "999.0.0"
            ],
            "import_time": "2026-06-15T15:30:21.682689992Z"
        }
    ]
}

References

https://www.npmjs.com/package/vault-strategies/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vault-strategies

Package

Name: vault-strategies; View open source insights on deps.dev
Purl: pkg:npm/vault-strategies

Affected ranges

Affected versions

999.*

999.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vault-strategies/MAL-2026-5783.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3",
            "tlsh": "ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2",
            "path": "postinstall.js"
        },
        {
            "sha256": "f6ed4caa3e6667e7ddf3b28cb9b4b02300cbe4c086b8c436b34752e9e8d1fe46",
            "tlsh": "a7c022308d12977318c407822862840271a20c2f2000a81807c7285002aa77248ab20e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-dHtKfv+BDGr0N1Dm/KUM0YRHYscD+zV9Vm3dR6HrlZQjXohkrYnHySZyucfOd5aE8XKzzF3Hbma2CdrilAXxiQ==",
                "sha1": "a16db8055cd9fcd9923f898ed4ad394af89ffbcd"
            },
            "filename": "vault-strategies-999.0.0.tgz"
        }
    ]
}