-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (preinstall: node index.js in package.json) executes index.js, which reads the installer's project directory via process.env.INIT_CWD, takes its basename as safeProjectName, and POSTs a JSON payload containing that name and a timestamp to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/d9b7e171-33a4-49c7-aa79-c95794030d3b. The package self-describes as a 'Security PoC for Bug Bounty' / 'Harmless dependency confusion PoC', and the name strict-engine-peer is consistent with squatting an internal/private package name on the public npm registry. Any developer or build system that resolves this package — typically by accident, via dependency confusion against an internal package of the same name — silently discloses the existence and name of an internal project to the third-party endpoint. The 'research' framing does not change the installer-side impact: unconsented network beacon at install time, leaking organizational metadata to an attacker-controlled host.
{
"malicious-packages-origins": [
{
"versions": [
"22.18.0"
],
"id": "IN-MAL-2026-006768",
"import_time": "2026-06-16T16:06:34.757029404Z",
"modified_time": "2026-06-16T15:41:38Z",
"sha256": "0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de",
"source": "amazon-inspector"
},
{
"sha256": "ac925bb7b76abeaac88261c3f69c48a2940832889dd660b9cdd8af443b0c1183",
"id": "IN-MAL-2026-006767",
"modified_time": "2026-06-16T15:41:33Z",
"versions": [
"1.0.0"
],
"import_time": "2026-06-16T16:06:34.628605777Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "d52142d516c2a17067f18fd0c4266d0af32bf2177b43c199bdac41892fb11286262dde",
"sha256": "0ed234f98dae25f55503630021f8ed05abcb5ac25e56144963d69b5420fc811f",
"path": "index.js"
},
{
"sha256": "f43927d8fd4a65e30b3d044b3f74e5b0dc3a3b6ca41c11e9a2b10c1d374f0616",
"tlsh": "7fd0223f9cd0b02321c4cfc0283650a01031032c212acc54b8cc3c21d0e27b2aa2f705",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "strict-engine-peer-22.18.0.tgz",
"hashes": {
"sha512_sri": "sha512-k2hhqaicRXlxMirbv+UxhXh19Ug1dbhx+ERO/PjROsA7GVJhUQulrcE6dcTLw0HqXq88bNH68tRcteXK+Lc03g==",
"sha1": "0a5c0df2e5d1a0007a1d480cd2a0598b8488a59f"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strict-engine-peer/MAL-2026-5898.json"