MAL-2026-6124

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/ixel/MAL-2026-6124.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6124

Published

2026-06-18T16:15:22Z

Modified

2026-06-18T17:16:47.302918609Z

Summary

Malicious code in @onum-releases/ixel (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599)

On import, index.js reads os.hostname() and issues an HTTPS GET to ixel.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel (oastify.com is Burp Suite's Collaborator out-of-band interaction domain). The hostname is embedded as a DNS subdomain label, so the DNS resolution alone leaks the installer's hostname to an attacker-controlled nameserver regardless of whether the HTTP request succeeds. Any developer machine or CI runner that require()s this package — directly or transitively — sends a host identifier to the operator of the configured Collaborator instance. The package.json description ("Security PoC placeholder - benign, no runtime payload") contradicts the shipped code, and the @onum-releases scope appears designed to resemble a legitimate vendor releases namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "03f19785a8c7b4908b1bdab949073500ac828a2ccc3d34562cac16b4fce4a45b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:15:22Z",
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-006995",
            "import_time": "2026-06-18T17:08:46.962833167Z"
        },
        {
            "sha256": "0405bead6aa6dd628190974d5555a124113b2fc630e8a90f11be30a238af88d2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:15:32Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-007003",
            "import_time": "2026-06-18T17:08:47.614926762Z"
        },
        {
            "sha256": "188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:15:22Z",
            "id": "IN-MAL-2026-006994",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-18T17:08:46.900116541Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @onum-releases/ixel

Package

Name: @onum-releases/ixel; View open source insights on deps.dev
Purl: pkg:npm/%40onum-releases%2Fixel

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/ixel/MAL-2026-6124.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "6e5ac179cb554e98721365c79a3caa7198842aeff84bee0e047ce090fb31f503",
            "tlsh": "94f0abd6d2f9f1907132b4c9d65e0405a2a2f0902295cec04aafe1f66df1b281706ef8",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-I//R82XQNfvPGzyuUzLv43AqowSoK1Gfm3uu9CMqPnmkJdqJ0tMYeP9GGwwIXmlfbxfDrwcMLZXvuszu8gp+mw==",
                "sha1": "33353623275a9379387b051a7e58079d99af6ec5"
            },
            "filename": "ixel-1.0.2.tgz"
        }
    ]
}