-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname (os.hostname()), username (os.userInfo()), homedir, DNS servers, and package paths, reads /etc/passwd and /etc/hosts via fs.readFileSync, and HTTPS-POSTs the JSON payload to 66az91mywqmmbqau9k79bum1us0jo9cy.oastify.com (a Burp Collaborator subdomain). Package metadata (empty author, empty description, generic CI-flavored name ebpf-tracker-action) is consistent with a dependency-confusion attack targeting an internal package name. Any machine that installs this package leaks system identity and local account data to an attacker-controlled host at install time.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-17T21:34:28Z",
"sha256": "f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3",
"versions": [
"1.0.1"
],
"import_time": "2026-06-17T21:42:17.972244744Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006942"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "ebpf-tracker-action-1.0.1.tgz",
"hashes": {
"sha1": "845c5488bd5d7898ccb97acf9d391ebebff0035f",
"sha512_sri": "sha512-F7BStV9yS4vt6PfZB7fjGIhxZTtSXOp/wtCAQiUO1B18nJpBShKoAISnI9C5Rx+AuNQ69KkQyZuuud+5nlp3rw=="
}
}
],
"evidence_files": [
{
"tlsh": "c741139592da17330dd210c0660c70852359f977725998d076df42969f869f8b7316f3",
"sha256": "dea7234043007dd10c8e4f878d02284b1b7aaefa24812438461717cd4b9b3b8c",
"path": "index.js"
},
{
"tlsh": "a7d0a7304d62693325c506660c3b959772718f2f14147c08a7cb182c81de6b798ff35c",
"sha256": "9aed9e65afa8e3e6fac2cf61d06252d7918346fb384f339ca08c3884d35e022b",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ebpf-tracker-action/MAL-2026-6077.json"