MAL-2026-5898

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strict-engine-peer/MAL-2026-5898.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5898
Published
2026-06-16T15:41:33Z
Modified
2026-06-16T16:16:48.475372406Z
Summary
Malicious code in strict-engine-peer (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de)

On npm install, the package's preinstall hook (preinstall: node index.js in package.json) executes index.js, which reads the installer's project directory via process.env.INIT_CWD, takes its basename as safeProjectName, and POSTs a JSON payload containing that name and a timestamp to a hardcoded callback URL https://deepbounty.dd06-dev.fr/cb/d9b7e171-33a4-49c7-aa79-c95794030d3b. The package self-describes as a 'Security PoC for Bug Bounty' / 'Harmless dependency confusion PoC', and the name strict-engine-peer is consistent with squatting an internal/private package name on the public npm registry. Any developer or build system that resolves this package — typically by accident, via dependency confusion against an internal package of the same name — silently discloses the existence and name of an internal project to the third-party endpoint. The 'research' framing does not change the installer-side impact: unconsented network beacon at install time, leaking organizational metadata to an attacker-controlled host.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "22.18.0"
            ],
            "id": "IN-MAL-2026-006768",
            "import_time": "2026-06-16T16:06:34.757029404Z",
            "modified_time": "2026-06-16T15:41:38Z",
            "sha256": "0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de",
            "source": "amazon-inspector"
        },
        {
            "sha256": "ac925bb7b76abeaac88261c3f69c48a2940832889dd660b9cdd8af443b0c1183",
            "id": "IN-MAL-2026-006767",
            "modified_time": "2026-06-16T15:41:33Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-16T16:06:34.628605777Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / strict-engine-peer

Package

Affected ranges

Affected versions

1.*
1.0.0
22.*
22.18.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "d52142d516c2a17067f18fd0c4266d0af32bf2177b43c199bdac41892fb11286262dde",
            "sha256": "0ed234f98dae25f55503630021f8ed05abcb5ac25e56144963d69b5420fc811f",
            "path": "index.js"
        },
        {
            "sha256": "f43927d8fd4a65e30b3d044b3f74e5b0dc3a3b6ca41c11e9a2b10c1d374f0616",
            "tlsh": "7fd0223f9cd0b02321c4cfc0283650a01031032c212acc54b8cc3c21d0e27b2aa2f705",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "strict-engine-peer-22.18.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-k2hhqaicRXlxMirbv+UxhXh19Ug1dbhx+ERO/PjROsA7GVJhUQulrcE6dcTLw0HqXq88bNH68tRcteXK+Lc03g==",
                "sha1": "0a5c0df2e5d1a0007a1d480cd2a0598b8488a59f"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strict-engine-peer/MAL-2026-5898.json"