MAL-2026-6075

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/opt-archetype-check/MAL-2026-6075.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6075

Published

2026-06-17T19:09:08Z

Modified

2026-06-17T20:01:51.628547205Z

Summary

Malicious code in opt-archetype-check (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e)

On npm install, the package's postinstall hook executes node index.js, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host (const CALLBACK_HOST = "109.71.252.153";) and line 73 issues the POST to /callback. The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T19:09:08Z",
            "versions": [
                "9.9.1"
            ],
            "id": "IN-MAL-2026-006931",
            "import_time": "2026-06-17T19:45:56.695232263Z"
        }
    ]
}

References

https://www.npmjs.com/package/opt-archetype-check/v/9.9.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / opt-archetype-check

Package

Name: opt-archetype-check; View open source insights on deps.dev
Purl: pkg:npm/opt-archetype-check

Affected ranges

Affected versions

9.*

9.9.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/opt-archetype-check/MAL-2026-6075.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "ec9fc905924e513ea3f083f29d269e88f3f6777709ce245dbc7b541e2f3a3c44",
            "tlsh": "a26131794ab561183af2de6ca35f040222a1f0133a46e964b8dd72441fde77802f69fa",
            "path": "index.js"
        },
        {
            "sha256": "8fafeaf647487df53ed74aa4f4e78baae92fa9e3df2f7b6297b7f7775782b152",
            "tlsh": "78d0a7600920526310d932d54c76844a26a21e3a110c581807c3111491c95b744bf319",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-RZLaKsu8YfhSDEZ94Qj9EaYDzEyuY/u4qygRBMNOoTdq8/ePG7INN9fmw1nR2/DHMTYYoY+kgwIaP8+f7MZmVQ==",
                "sha1": "01c291b5ef45049c10a40d0c36314a76e8955779"
            },
            "filename": "opt-archetype-check-9.9.1.tgz"
        }
    ]
}