MAL-2026-5792

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-imagepicker/MAL-2026-5792.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5792
Published
2026-06-15T15:54:11Z
Modified
2026-06-15T17:31:48.882242341Z
Summary
Malicious code in nativescript-swisspost-imagepicker (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62)

package.json declares preinstall: node index.js. On npm install, index.js reads process.env.INIT_CWD (the installing project's working directory), takes its basename, and POSTs a JSON payload {pkg, timestamp, transport, project} to the hardcoded URL https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5. The package name nativescript-swisspost-imagepicker, the package description (Security PoC for Bug Bounty), and the comment Harmless dependency confusion PoC in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of deepbounty.dd06-dev.fr a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "305d997233ef6f66cb10c6e104f04006090b7a7097f7a2ba3641b791434403ce",
            "id": "IN-MAL-2026-006508",
            "import_time": "2026-06-15T17:22:46.61529705Z",
            "modified_time": "2026-06-15T15:54:12Z",
            "versions": [
                "52.31.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62",
            "id": "IN-MAL-2026-006507",
            "modified_time": "2026-06-15T15:54:11Z",
            "versions": [
                "52.31.0"
            ],
            "import_time": "2026-06-15T17:22:46.559428663Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / nativescript-swisspost-imagepicker

Package

Name
nativescript-swisspost-imagepicker
View open source insights on deps.dev
Purl
pkg:npm/nativescript-swisspost-imagepicker

Affected ranges

Affected versions

52.*
52.31.0

Database specific

indicators
{
    "ips": [
        "90.104.23.140",
        "104.16.9.34",
        "10.1.0.2"
    ],
    "evidence_files": [
        {
            "tlsh": "292147d15ae2662412f555c19967ec0f7227e2077e41e498b98c01491fc912ca672bc9",
            "sha256": "b109c6cb6e8f0a8cf9b86917369549a3fee7688b1af414909b8667dedb0a3f07",
            "path": "index.js"
        },
        {
            "sha256": "5b66e2a180ac229303b95e50ba19b8b52d53adadd54d9c858ef80111c8ebfdc0",
            "tlsh": "e1d0222c0e20b62333818edc1c3ea8c0923e03142019cc0828c42054d2eb3b48b7f286",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "nativescript-swisspost-imagepicker-52.31.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-tp6G/iFQLnVf93PENfhbQCowuYhBripdP5GVfpYPqqSpMpK2V7V5UHqdGUUHPjNpNefdqmY7k5S7uiDjf//m8w==",
                "sha1": "0f76ef808e95ff333ca18d823b38e2ab000d6f3e"
            }
        }
    ],
    "domains": [
        "deepbounty.dd06-dev.fr"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-imagepicker/MAL-2026-5792.json"