MAL-2026-5793

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-pcc-creative-editor/MAL-2026-5793.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5793

Published

2026-06-15T15:54:05Z

Modified

2026-06-15T17:31:48.912887021Z

Summary

Malicious code in nativescript-swisspost-pcc-creative-editor (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049)

Package masquerades as an internal Swiss Post NativeScript package (name nativescript-swisspost-pcc-creative-editor, description literally Security PoC for Bug Bounty). package.json declares preinstall: node index.js. On npm install, index.js reads process.env.INIT_CWD, takes its basename as the installer's project directory name, and POSTs it together with a timestamp to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/dc8ee9ff-1372-47c3-b2b6-ce0564ce1f90. Effect on the installer: arbitrary Node code executes at install time and the installer's project name is leaked to a third-party host without consent. Although the author labels it a bug-bounty proof of concept, the package is structurally a dependency-confusion attack — any developer or build system that pulls it expecting the legitimate internal Swiss Post package suffers code execution and information disclosure.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049",
            "id": "IN-MAL-2026-006505",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:54:05Z",
            "versions": [
                "54.16.3"
            ],
            "import_time": "2026-06-15T17:22:46.367601595Z"
        },
        {
            "sha256": "c8eca023031e2488506fef1a8b6917bc8a860495d86b3e644595da683f9f77f7",
            "id": "IN-MAL-2026-006506",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:54:06Z",
            "versions": [
                "54.16.3"
            ],
            "import_time": "2026-06-15T17:22:46.421029997Z"
        }
    ]
}

References

https://www.npmjs.com/package/nativescript-swisspost-pcc-creative-editor/v/54.16.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nativescript-swisspost-pcc-creative-editor

Package

Name: nativescript-swisspost-pcc-creative-editor; View open source insights on deps.dev
Purl: pkg:npm/nativescript-swisspost-pcc-creative-editor

Affected ranges

Affected versions

54.*

54.16.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-pcc-creative-editor/MAL-2026-5793.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "domains": [
        "deepbounty.dd06-dev.fr"
    ],
    "evidence_files": [
        {
            "sha256": "53f5a9b421295e5579d6e3bd0d511b19a9b0e878e74eee3d4c6281e2157a057c",
            "tlsh": "0021479157e2963012e659d1c96bdd0f731ba2077e01e498f9cc01591fcd12c9672fdd",
            "path": "index.js"
        },
        {
            "sha256": "4279d77237f7666948eda89da2726d3ce2f71e9ee909bb0867b909d311febf08",
            "tlsh": "78d0a72e4d10b95322808edd483d50c4926d03142415c80858c42064d0d67b9872e156",
            "path": "package.json"
        }
    ],
    "ips": [
        "10.1.0.2",
        "90.104.23.140",
        "104.16.5.34"
    ],
    "package_integrity": [
        {
            "filename": "nativescript-swisspost-pcc-creative-editor-54.16.3.tgz",
            "hashes": {
                "sha1": "8d511a82aca00f8d13e56c46557aaa9512853578",
                "sha512_sri": "sha512-BCgo5lTPX6Lho5yJbOpUV7YaWg1UD7Atw5IZ7kdQ0yFOOzS2hc+H41Va9QbFqzi631YhVJFGID32FPdzn9YWuQ=="
            }
        }
    ]
}