MAL-2026-6123
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/auth/MAL-2026-6123.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6123
- Published
- 2026-06-18T16:15:16Z
- Modified
- 2026-06-18T17:16:47.795993977Z
- Summary
- Malicious code in @onum-releases/auth (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (22d4bde1772d506f812e112fb8d6bfbf6a6f187dd823640f2cf15811f0d0633a)
On
require('@onum-releases/auth'), index.js readsos.hostname()and issues an HTTP GET toauth.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com, transmitting the installer's host identifier to a Burp Collaborator out-of-band domain via both DNS resolution and HTTP. The package.json self-identifies as a 'dependency-confusion / scope-takeover demonstration' placeholder under the @onum-releases scope, so any build that mistakenly resolves an internal@onum-releases/*name to the public registry will leak its hostname to a third-party collaborator endpoint. Although labeled a PoC, the import-time beacon performs unconsented exfiltration of installer-side data to an attacker-controlled domain. - Database specific
{ "malicious-packages-origins": [ { "sha256": "22d4bde1772d506f812e112fb8d6bfbf6a6f187dd823640f2cf15811f0d0633a", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:16Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-006989", "import_time": "2026-06-18T17:08:46.473870933Z" }, { "sha256": "72203eaa09216d9c9eb3cb0202eba28ce4e44f14ee587608ddd8b0b62829dae6", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:18Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-006991", "import_time": "2026-06-18T17:08:46.646372864Z" }, { "sha256": "75e6ff09332290e46dd6b6b660cdf20f335d18eddc93060373b5211ebab6f524", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:17Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-006990", "import_time": "2026-06-18T17:08:46.563481749Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @onum-releases/auth
Package
- Name
- @onum-releases/auth
- View open source insights on deps.dev
- Purl
- pkg:npm/%40onum-releases%2Fauth
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/auth/MAL-2026-6123.json"
indicators
{
"evidence_files": [
{
"sha256": "4367e2a734dcc5e7dce75530a942ff5ed14d13c12d1cef9e2838bb412d2852bd",
"tlsh": "18f0abdad3f9f5507132a4c9e60e4404a2a2f0902286dec055afe1f62df2b181b06df8",
"path": "index.js"
},
{
"sha256": "bf819df9feebf5605afe822bc64fb26c3169c55eca3137503cc238893812c081",
"tlsh": "46d02b644644a43354c5cb760d70952922b95c3fb24271092f179218c0abbf31579389",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-yMJq5M6LxNBMaCLtphbawGK84164sj8psWAXLMiX/YeVR/qh8EFzKe6iYG81DCE17mZ5yTjD3QkY1Kp3qLfb0w==",
"sha1": "d9db879454e53c8c137e2f3c9281ff229225074b"
},
"filename": "auth-1.0.3.tgz"
}
]
}