-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js. On npm install, index.js reads process.env.INIT_CWD (the installing project's working directory), takes its basename, and POSTs a JSON payload {pkg, timestamp, transport, project} to the hardcoded URL https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5. The package name nativescript-swisspost-imagepicker, the package description (Security PoC for Bug Bounty), and the comment Harmless dependency confusion PoC in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of deepbounty.dd06-dev.fr a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.
{
"malicious-packages-origins": [
{
"sha256": "305d997233ef6f66cb10c6e104f04006090b7a7097f7a2ba3641b791434403ce",
"id": "IN-MAL-2026-006508",
"import_time": "2026-06-15T17:22:46.61529705Z",
"modified_time": "2026-06-15T15:54:12Z",
"versions": [
"52.31.0"
],
"source": "amazon-inspector"
},
{
"sha256": "b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62",
"id": "IN-MAL-2026-006507",
"modified_time": "2026-06-15T15:54:11Z",
"versions": [
"52.31.0"
],
"import_time": "2026-06-15T17:22:46.559428663Z",
"source": "amazon-inspector"
}
]
}{
"ips": [
"90.104.23.140",
"104.16.9.34",
"10.1.0.2"
],
"evidence_files": [
{
"tlsh": "292147d15ae2662412f555c19967ec0f7227e2077e41e498b98c01491fc912ca672bc9",
"sha256": "b109c6cb6e8f0a8cf9b86917369549a3fee7688b1af414909b8667dedb0a3f07",
"path": "index.js"
},
{
"sha256": "5b66e2a180ac229303b95e50ba19b8b52d53adadd54d9c858ef80111c8ebfdc0",
"tlsh": "e1d0222c0e20b62333818edc1c3ea8c0923e03142019cc0828c42054d2eb3b48b7f286",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "nativescript-swisspost-imagepicker-52.31.0.tgz",
"hashes": {
"sha512_sri": "sha512-tp6G/iFQLnVf93PENfhbQCowuYhBripdP5GVfpYPqqSpMpK2V7V5UHqdGUUHPjNpNefdqmY7k5S7uiDjf//m8w==",
"sha1": "0f76ef808e95ff333ca18d823b38e2ab000d6f3e"
}
}
],
"domains": [
"deepbounty.dd06-dev.fr"
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-imagepicker/MAL-2026-5792.json"