-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (preinstall: node index.js in package.json) executes index.js, which reads process.env.INIT_CWD, derives the installing project's directory name via path.basename(), and POSTs a JSON beacon {pkg, timestamp, transport, project} to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/e51c2215-3fa8-48f1-ad64-1cf792e0cccc. The package is published under the @dsft scope and self-describes as a dependency-confusion PoC (description: Security PoC for Bug Bounty; index.js comment: Harmless dependency confusion PoC). Any build pipeline that expects a private @dsft/ft-element package and resolves to this public version will silently leak the project's directory name — which typically equals the private package/repo name — to a third-party endpoint, confirming a successful dependency-confusion takeover target. Installers receive no disclosure or consent. Although the author frames this as harmless research, the mechanism (unconditional install-time beacon containing host-identifying context to an attacker-controlled URL) is a supply-chain attack against any installer the scope collision affects.
{
"malicious-packages-origins": [
{
"sha256": "7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1",
"id": "IN-MAL-2026-006755",
"import_time": "2026-06-16T16:06:33.396901985Z",
"versions": [
"2.5.9"
],
"modified_time": "2026-06-16T15:27:18Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "7655a87a22c24a1fa1d5f96220098e71a101198b189b7b9e167d6d4af2ff6e4e",
"tlsh": "5e2144a01be3a62012f959c0856bed0e732ba2077e42e498f98c01991fcd12c9172fc9",
"path": "index.js"
},
{
"sha256": "b7d6f4ab7a02c0fd2f5188e79d5957d59b5596bc91ec4de8a349108001826363",
"tlsh": "99c0127c4d15b6237ad58edd0c7ea48891ae02142056cc4868c53064d0fa6b5956f745",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "ft-element-2.5.9.tgz",
"hashes": {
"sha512_sri": "sha512-UU0s152Eiv5XhNP4u3hfwgu6YtWWbz6uhx+xsXFvQ5uXeYSi/Fzo5in2iRtwo6/rXN2YnquC1TfglWtVlmmrCQ==",
"sha1": "22f16cf2b1894ca5163ef4c876c5fd806f213a12"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dsft/ft-element/MAL-2026-5889.json"