MAL-2026-6069

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@civitatis/bot-ui/MAL-2026-6069.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6069
Published
2026-06-17T18:55:02Z
Modified
2026-06-17T20:01:52.006664734Z
Summary
Malicious code in @civitatis/bot-ui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7)

The package declares "preinstall": "node index.js" in package.json, causing index.js to execute automatically on npm install. index.js requires child_process, os, https, and http, then collects host and user identity — whoami, id, os.hostname(), process.platform, architecture, homedir, os.userInfo() (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56 (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the bot-ui name — and the @civitatis scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "15.12.11"
            ],
            "id": "IN-MAL-2026-006926",
            "import_time": "2026-06-17T18:56:07.693569058Z",
            "modified_time": "2026-06-17T18:55:02Z",
            "sha256": "e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7",
            "source": "amazon-inspector"
        },
        {
            "sha256": "6c7b137f3a76494fda4324f6d092333d5017df9b8b0edeed588b1e1ed6f45675",
            "id": "IN-MAL-2026-006930",
            "import_time": "2026-06-17T19:45:56.627936104Z",
            "modified_time": "2026-06-17T19:07:36Z",
            "versions": [
                "14.12.11"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @civitatis/bot-ui

Package

Name
@civitatis/bot-ui
View open source insights on deps.dev
Purl
pkg:npm/%40civitatis%2Fbot-ui

Affected ranges

Affected versions

14.*
14.12.11
15.*
15.12.11

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "bot-ui-15.12.11.tgz",
            "hashes": {
                "sha512_sri": "sha512-8zeaVWe4vODDFkbibGa45KdXuB+EiVTogseQLuHpimcDgv5Li3WqgQMHRjVWwD4C+FwcanwMqU4QEl/E/tezJA==",
                "sha1": "a299b42fd45d034de3123be6a5bedc85ca0e3b2c"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "665161c515f65a241ba7b8494a4f9402a327e003354aee55bfcc8340af8937c97f0bf2",
            "sha256": "3ff6c041e827912a9b07619a7de5ae890dd053caed6a6090cd0552696baa5b7f",
            "path": "index.js"
        },
        {
            "sha256": "ae801dcd7ffa9fb46b5fa08809e4ee7c8b37f67580f643241727fae4290f43b3",
            "tlsh": "64d05e704e61653365d11263482ba45763a1cf6f1504bc08a7cb582c82de67789fe30e",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@civitatis/bot-ui/MAL-2026-6069.json"