MAL-2026-5889

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dsft/ft-element/MAL-2026-5889.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5889
Published
2026-06-16T15:27:18Z
Modified
2026-06-16T16:16:49.196132503Z
Summary
Malicious code in @dsft/ft-element (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1)

On npm install, the package's preinstall hook (preinstall: node index.js in package.json) executes index.js, which reads process.env.INIT_CWD, derives the installing project's directory name via path.basename(), and POSTs a JSON beacon {pkg, timestamp, transport, project} to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/e51c2215-3fa8-48f1-ad64-1cf792e0cccc. The package is published under the @dsft scope and self-describes as a dependency-confusion PoC (description: Security PoC for Bug Bounty; index.js comment: Harmless dependency confusion PoC). Any build pipeline that expects a private @dsft/ft-element package and resolves to this public version will silently leak the project's directory name — which typically equals the private package/repo name — to a third-party endpoint, confirming a successful dependency-confusion takeover target. Installers receive no disclosure or consent. Although the author frames this as harmless research, the mechanism (unconditional install-time beacon containing host-identifying context to an attacker-controlled URL) is a supply-chain attack against any installer the scope collision affects.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1",
            "id": "IN-MAL-2026-006755",
            "import_time": "2026-06-16T16:06:33.396901985Z",
            "versions": [
                "2.5.9"
            ],
            "modified_time": "2026-06-16T15:27:18Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @dsft/ft-element

Package

Name
@dsft/ft-element
View open source insights on deps.dev
Purl
pkg:npm/%40dsft%2Fft-element

Affected ranges

Affected versions

2.*
2.5.9

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "7655a87a22c24a1fa1d5f96220098e71a101198b189b7b9e167d6d4af2ff6e4e",
            "tlsh": "5e2144a01be3a62012f959c0856bed0e732ba2077e42e498f98c01991fcd12c9172fc9",
            "path": "index.js"
        },
        {
            "sha256": "b7d6f4ab7a02c0fd2f5188e79d5957d59b5596bc91ec4de8a349108001826363",
            "tlsh": "99c0127c4d15b6237ad58edd0c7ea48891ae02142056cc4868c53064d0fa6b5956f745",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ft-element-2.5.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-UU0s152Eiv5XhNP4u3hfwgu6YtWWbz6uhx+xsXFvQ5uXeYSi/Fzo5in2iRtwo6/rXN2YnquC1TfglWtVlmmrCQ==",
                "sha1": "22f16cf2b1894ca5163ef4c876c5fd806f213a12"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dsft/ft-element/MAL-2026-5889.json"