MAL-2026-5832

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vend-utilities/MAL-2026-5832.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5832

Published

2026-06-15T19:24:31Z

Modified

2026-06-15T20:31:52.774450983Z

Summary

Malicious code in vend-utilities (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1)

package.json declares preinstall: node index.js, causing index.js to run automatically on npm install. The script collects installer host identity (os.hostname(), os.userInfo() including uid/gid/shell/homedir, process.cwd(), process.platform/arch, OS release, memory, cpus) and executes whoami and id via child_process to capture their output, then POSTs the combined JSON payload to a hardcoded Burp Collaborator subdomain at https://6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com/detox56 (index.js:7,:83). The package has empty author/description metadata and a dependency-confusion-style name. An undeclared 10.8 KB sibling file i ships in the tarball but is not reached by the preinstall path. Installing this package leaks installer host identity and shell-recon output to an attacker-controlled endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7e920e81a12f006bdeabc6fcfe8f9ddf6620e280edeb68435d4b1f6aaf4752a4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T19:24:32Z",
            "versions": [
                "14.12.11"
            ],
            "id": "IN-MAL-2026-006671",
            "import_time": "2026-06-15T20:14:25.790885098Z"
        },
        {
            "sha256": "89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T19:24:31Z",
            "id": "IN-MAL-2026-006670",
            "versions": [
                "14.12.11"
            ],
            "import_time": "2026-06-15T20:14:25.689309347Z"
        }
    ]
}

References

https://www.npmjs.com/package/vend-utilities/v/14.12.11

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / vend-utilities

Package

Name: vend-utilities; View open source insights on deps.dev
Purl: pkg:npm/vend-utilities

Affected ranges

Affected versions

14.*

14.12.11

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vend-utilities/MAL-2026-5832.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "c47fd0cd5a3d76aa07876935f1337076e75bfb75876e9dc5bef123a1ec50d883",
            "tlsh": "7d5152c515f699241b67b8494a4f9402a327e0033509ee55bfcc8340af8837c97f0bf6",
            "path": "index.js"
        },
        {
            "sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a",
            "tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
            "path": "i"
        }
    ],
    "domains": [
        "6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-g4nBNfMk38t2X6YOUELSEmM4UbHcAvXcPHpfFvJU+0P952wZPFB/aRfCXptW5ivKaZ5LR6ZR+swMtTpOv0FEBQ==",
                "sha1": "6291107c94b556b2871b3b94f04feb0caaf168bd"
            },
            "filename": "vend-utilities-14.12.11.tgz"
        }
    ],
    "ips": [
        "54.77.139.23",
        "3.248.33.252"
    ]
}