MAL-2026-6077

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ebpf-tracker-action/MAL-2026-6077.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6077
Published
2026-06-17T21:34:28Z
Modified
2026-06-17T22:01:48.890687163Z
Summary
Malicious code in ebpf-tracker-action (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname (os.hostname()), username (os.userInfo()), homedir, DNS servers, and package paths, reads /etc/passwd and /etc/hosts via fs.readFileSync, and HTTPS-POSTs the JSON payload to 66az91mywqmmbqau9k79bum1us0jo9cy.oastify.com (a Burp Collaborator subdomain). Package metadata (empty author, empty description, generic CI-flavored name ebpf-tracker-action) is consistent with a dependency-confusion attack targeting an internal package name. Any machine that installs this package leaks system identity and local account data to an attacker-controlled host at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-17T21:34:28Z",
            "sha256": "f51f94366660f50b3ffaacedda1e956035ca8a7e5e0cadc33f2aefc20dd8a6a3",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-17T21:42:17.972244744Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006942"
        }
    ]
}
References
Credits

Affected packages

npm / ebpf-tracker-action

Package

Name
ebpf-tracker-action
View open source insights on deps.dev
Purl
pkg:npm/ebpf-tracker-action

Affected ranges

Affected versions

1.*
1.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ebpf-tracker-action-1.0.1.tgz",
            "hashes": {
                "sha1": "845c5488bd5d7898ccb97acf9d391ebebff0035f",
                "sha512_sri": "sha512-F7BStV9yS4vt6PfZB7fjGIhxZTtSXOp/wtCAQiUO1B18nJpBShKoAISnI9C5Rx+AuNQ69KkQyZuuud+5nlp3rw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "c741139592da17330dd210c0660c70852359f977725998d076df42969f869f8b7316f3",
            "sha256": "dea7234043007dd10c8e4f878d02284b1b7aaefa24812438461717cd4b9b3b8c",
            "path": "index.js"
        },
        {
            "tlsh": "a7d0a7304d62693325c506660c3b959772718f2f14147c08a7cb182c81de6b798ff35c",
            "sha256": "9aed9e65afa8e3e6fac2cf61d06252d7918346fb384f339ca08c3884d35e022b",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ebpf-tracker-action/MAL-2026-6077.json"