MAL-2026-5802

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cardano-addresses-docs/MAL-2026-5802.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5802
Published
2026-06-15T18:26:01Z
Modified
2026-06-15T19:06:36.830181347Z
Summary
Malicious code in cardano-addresses-docs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75)

package.json declares a preinstall hook (node index.js) that runs automatically on npm install. index.js collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, full package.json) and reads /etc/passwd and /etc/hosts from the installer's machine, then HTTPS-POSTs the JSON payload to swsusmhg43tobo96re8dwn0vomudi46t.oastify.com — a Burp Collaborator out-of-band domain. The package has empty author, empty description, no real functionality, and a name impersonating the legitimate cardano-addresses Cardano library — consistent with a dependency-confusion / typosquat reconnaissance payload.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "12312d4129dbe9579e9b2acc3761b1237f427ced1324198f61d13d349bced45a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T18:26:02Z",
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-006657",
            "import_time": "2026-06-15T18:54:56.321338173Z"
        },
        {
            "sha256": "9d99ae2a620ac8a3db31cde344d6d1e46914f785b3d5f4b8debdb20d64fa9c75",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T18:26:01Z",
            "id": "IN-MAL-2026-006656",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-15T18:54:56.235793458Z"
        }
    ]
}
References
Credits

Affected packages

npm / cardano-addresses-docs

Package

Name
cardano-addresses-docs
View open source insights on deps.dev
Purl
pkg:npm/cardano-addresses-docs

Affected ranges

Affected versions

1.*
1.0.1

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cardano-addresses-docs/MAL-2026-5802.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "23e4dbfd1ac0ec73b0c23682e261be4ba8341d1246d913b2407ba2602fa25016",
            "tlsh": "e1411195a2d917330de210c0aa0c70813359fa767259a89076cf42d6af869f8b7226f3",
            "path": "index.js"
        },
        {
            "sha256": "3f47626e2493e3920b5c3ac40314775728864eacbe21bf55fa9829e37c773c3d",
            "tlsh": "69d0a7304e22a53325c606a64c2b948772618f6f04083c0867df582c92ee677acff32c",
            "path": "package.json"
        }
    ],
    "domains": [
        "swsusmhg43tobo96re8dwn0vomudi46t.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-i6tV1JmWrsvv+d4iPlhkk1iU0seR1aDY9GLxHv3h6w9YOpybMVhhJeJscYyQwEviSjUXA1gF8WHv/zha3JiC4w==",
                "sha1": "deff72c5897c46748b89749362d135fde1f945c1"
            },
            "filename": "cardano-addresses-docs-1.0.1.tgz"
        }
    ],
    "ips": [
        "3.248.33.252",
        "54.77.139.23"
    ]
}