MAL-2026-6065

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lab-services/MAL-2026-6065.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6065

Published

2026-06-17T17:04:43Z

Modified

2026-06-17T17:46:56.384294014Z

Summary

Malicious code in lab-services (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4acaa72e3c14b79785540c878cb48f7a0cdc238d20ac9cebd6ffdd42061f6e7b)

On npm install, the package's preinstall lifecycle script (node.js) collects host identifiers from the installing machine — hostname, public IP (resolved via api.ipify.org), current working directory, OS platform, and architecture — and POSTs them to a hardcoded Discord webhook at discord.com/api/webhooks/1516798168304586833/. The behavior fires automatically with no opt-in and no user interaction. The package is published at version 99.0.0 with a description self-identifying as an 'Authorized Security Research PoC - Dependency Confusion Assessment' and keywords including 'bugbounty', 'msrc', 'security-holding' — the structural shape of a dependency-confusion squat against an internal package name of the same identifier. Regardless of researcher intent, the public publication causes any installer who resolves this name (including unrelated organizations or accidental typo-installs) to leak internal network metadata to a third-party webhook.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "4acaa72e3c14b79785540c878cb48f7a0cdc238d20ac9cebd6ffdd42061f6e7b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T17:04:43Z",
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-006913",
            "import_time": "2026-06-17T17:32:19.747699719Z"
        }
    ]
}

References

https://www.npmjs.com/package/lab-services/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / lab-services

Package

Name: lab-services; View open source insights on deps.dev
Purl: pkg:npm/lab-services

Affected ranges

Affected versions

99.*

99.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lab-services/MAL-2026-6065.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "ff1cebc61b7a24b04edcccf4642bed10e060deda15473c2e12328ea504ea2c52",
            "tlsh": "57311f5a16b121384af3d5ca8207881f5b52a133720add5c3a4c43986fd27bd85e96fb",
            "path": "node.js"
        },
        {
            "sha256": "591d1d808cb9fe19a106000a6d5aead9a4ceb3e83c27bdc23c3707dc6840ea5e",
            "tlsh": "35e02b18990499731cc542a90da69067a210ce4f48543d0c77df045c978ee6f9afa3ee",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-QGSvq+dH2X2WneGhSQfxeWcZPVYZCPmN/QjJ8geUGFl1iYTxvQi3/4YKvzdbbUxNC0aN0SzKum+F6iZsByrkLw==",
                "sha1": "a8060dde2af3647bafdce7fa4557719f6937dfac"
            },
            "filename": "lab-services-99.0.0.tgz"
        }
    ]
}