MAL-2026-5863

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ts-internal/shared-lib/MAL-2026-5863.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5863

Published

2026-06-16T04:24:55Z

Modified

2026-06-16T06:01:49.871440326Z

Summary

Malicious code in @ts-internal/shared-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171)

The package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install (preinstall and postinstall hooks invoke node lifecycle.js) and on module load (index.js calls require('./beacon').beacon('require')). beacon.js collects os.hostname(), os.userInfo().username, process.cwd(), os.platform(), and the package name/version, hex-encodes the blob, and transmits it via DNS lookup and HTTPS GET to d8oa6q03t3o2ksbjirogwxiwiyhp6e57o.oast.site (an interactsh OAST collector) and npm-dc-seek-1781572474.testingboxes.com. Any build that misresolves this name to the public registry will silently leak identifying host metadata to two third-party endpoints. The README self-describes the package as a dependency-confusion proof-of-concept, but installers cannot consent and cannot verify researcher authorization; the squat-plus-beacon mechanism is the attack regardless of stated intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T04:24:55Z",
            "versions": [
                "9.9.9"
            ],
            "id": "IN-MAL-2026-006747",
            "import_time": "2026-06-16T05:56:20.517273705Z"
        }
    ]
}

References

https://www.npmjs.com/package/@ts-internal/shared-lib/v/9.9.9

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @ts-internal/shared-lib

Package

Name: @ts-internal/shared-lib; View open source insights on deps.dev
Purl: pkg:npm/%40ts-internal%2Fshared-lib

Affected ranges

Affected versions

9.*

9.9.9

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ts-internal/shared-lib/MAL-2026-5863.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a812895da2340ecc7cb988fb7fb87e635aa264638af407101310b2907fffb128",
            "tlsh": "9c5147bb21a5621f0351329e169f33a8a7b3e3e906c45fe4389c9314af74cbc02458f9",
            "path": "beacon.js"
        },
        {
            "sha256": "5763080940053b28d0ab6698ede42ca86d84899b8c62811ea03a084ae37349ec",
            "tlsh": "d211653780f1533e4f904623247a22b67722e4a2282f41c4b0a50b5b1567d58939f7f7",
            "path": "README.md"
        },
        {
            "sha256": "747352bd356295d6ddd6e21bb9aed03a3ab7b76d3b2c5ac77e1edd61d61b17ba",
            "tlsh": "5901c222c020aea714d0aee8f47f101675e54f6715146e093aa7000c668feab10ff21f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ncdjBFZdt3SWHfEhjpqhU1sxE+2ugfONGyA/GTRKSHl9CW4kpWCOVrHtZ2JDfkuCjf3MqTZyFzg5pgU0nQHxMA==",
                "sha1": "1519a342f59132afcf00e0bb30edef13cb1c8a2b"
            },
            "filename": "shared-lib-9.9.9.tgz"
        }
    ]
}