MAL-2026-5829

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-android/MAL-2026-5829.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5829

Published

2026-06-15T11:56:23Z

Modified

2026-06-16T06:01:49.374465846Z

Summary

Malicious code in unico-android (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192)

On npm install, the package.json preinstall hook runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters carrying the installer's hostname, username ($(whoami)), current working directory ($(pwd)), kernel/OS string ($(uname -a)), and $HOME. The destination is a third-party request-capture service used as ad-hoc C2; the installer has not consented to this outbound transmission. The package otherwise ships no functional code despite advertising itself as the "Unico Android SDK - biometric identity verification" library, and is published at version 9.9.9 — a sentinel commonly used to outrank legitimate internal versions in dependency-confusion attacks against an organization's private registry. The combination of a hollow manifest impersonating an internal SDK name, a sentinel version, and an automatic install-time recon beacon is the canonical dependency-confusion / namespace-abuse attack shape.

Source: ossf-package-analysis (d6c5b81593e67b897531a12889d12e8a8763647a835852fa85e14be94958b6c7)

The OpenSSF Package Analysis project identified 'unico-android' @ 9.9.9 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T19:59:36Z",
            "id": "IN-MAL-2026-006697",
            "versions": [
                "9.9.9"
            ],
            "import_time": "2026-06-15T20:14:28.955979375Z"
        },
        {
            "sha256": "d6c5b81593e67b897531a12889d12e8a8763647a835852fa85e14be94958b6c7",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-15T11:56:23Z",
            "versions": [
                "9.9.9"
            ],
            "import_time": "2026-06-16T05:56:18.303697362Z"
        }
    ]
}

References

https://www.npmjs.com/package/unico-android/v/9.9.9

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / unico-android

Package

Name: unico-android; View open source insights on deps.dev
Purl: pkg:npm/unico-android

Affected ranges

Affected versions

9.*

9.9.9

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-android/MAL-2026-5829.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "41389b0423caa7497618dc5bf1e11fa229e16993e31ec095aaee3ceec7d14d8f",
            "tlsh": "bce068e2df18e22133da5952be185084ff616e4f15303e18ba8346a0201c2b94483f2e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha256-zDQJgVuKgY9x4z2lYNO6qBGQTktMFjOPPiYWunbd7ds=",
                "sha1": "fdab46a17081bf13318b0fdf8d3ac28d41145778"
            },
            "filename": "unico-android-9.9.9.tgz"
        }
    ]
}