MAL-2026-5830

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-check/MAL-2026-5830.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5830

Published

2026-06-15T11:26:18Z

Modified

2026-06-16T06:01:49.615179998Z

Summary

Malicious code in unico-check (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d)

package.json declares a preinstall lifecycle hook that runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f, passing the installer's hostname, current user, working directory, full uname -a output, and $HOME as query parameters. The beacon fires automatically on npm install with no user interaction. The package ships no source files, declares no main entry, and uses the implausible version 9.9.9 — the canonical shape of a dependency-confusion / typosquat reconnaissance package targeting builds that may resolve a private unico-check from the public registry. The package's only effect on installation is to leak host identifiers to an anonymous, attacker-controlled webhook.site bin, staging follow-on compromise.

Source: ossf-package-analysis (61af12e58a8af18142c41410d07328ba0dbfb7e79b145d84b2389444c27b2abc)

The OpenSSF Package Analysis project identified 'unico-check' @ 9.9.9 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006698",
            "import_time": "2026-06-15T20:14:29.063431799Z",
            "versions": [
                "9.9.9"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T19:59:40Z",
            "sha256": "1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d"
        },
        {
            "import_time": "2026-06-16T05:56:18.487539067Z",
            "versions": [
                "9.9.9"
            ],
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-15T11:26:18Z",
            "sha256": "61af12e58a8af18142c41410d07328ba0dbfb7e79b145d84b2389444c27b2abc"
        }
    ]
}

References

https://www.npmjs.com/package/unico-check/v/9.9.9

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / unico-check

Package

Name: unico-check; View open source insights on deps.dev
Purl: pkg:npm/unico-check

Affected ranges

Affected versions

9.*

9.9.9

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-check/MAL-2026-5830.json"

indicators

{
    "package_integrity": [
        {
            "filename": "unico-check-9.9.9.tgz",
            "hashes": {
                "sha1": "e78a853c7ef72164079336f3681395ec35c8a367",
                "sha512_sri": "sha256-7GOZUC/PuPKB1WST4qGezTDAR5Ej2eJMavsma6W+x1M="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "013f522d7050d6ac7256e878e84e203afe73cfc9e8ab6332717e66382f05968c",
            "tlsh": "bce0c0f39e14e22133d75892ad206485fba16e4e52343e18bac34541004c6ba440372c"
        }
    ]
}