MAL-2026-6125
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/sdk/MAL-2026-6125.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6125
- Published
- 2026-06-18T16:15:21Z
- Modified
- 2026-06-18T17:16:48.197285317Z
- Summary
- Malicious code in @onum-releases/sdk (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (cae207a349e4bda9359f4981d60ec81d9492cd8624535ee01b44c8f3bf3b3208)
On import, index.js reads the installer's machine hostname via os.hostname(), embeds it as a subdomain of a hardcoded *.oastify.com (Burp Collaborator out-of-band callback) host, and issues an HTTPS GET to that host. Specifically, index.js lines 5-7 build
sdk.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.comand callhttps.get({ host: host, path: '/sdk',... }). The fetch fires unconditionally onrequire('@onum-releases/sdk')with no caller consent, leaking the installer's hostname (via both DNS and HTTPS) to whoever controls that Collaborator instance. The package's own description says 'Security PoC placeholder - benign, no runtime payload', but the shipped code does run an import-time beacon. The@onum-releasesscope plus PoC framing is consistent with a dependency-confusion probe against an internalonumnamespace; the harm to any installer who pulls it (intentionally or via name confusion) is host-identifier exfiltration to a third-party OAST server. - Database specific
{ "malicious-packages-origins": [ { "sha256": "b70360f3abcea9176799bb327a3470296ba1dd07b81463b28981d5c2fbfa560e", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:21Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-006993", "import_time": "2026-06-18T17:08:46.845053784Z" }, { "sha256": "cae207a349e4bda9359f4981d60ec81d9492cd8624535ee01b44c8f3bf3b3208", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:24Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-006997", "import_time": "2026-06-18T17:08:47.097072982Z" }, { "sha256": "d195016c054f564e0e341fbd97df3950a6c3e289339c9d701e434310b209647b", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:23Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-006996", "import_time": "2026-06-18T17:08:47.014691368Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @onum-releases/sdk
Package
- Name
- @onum-releases/sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40onum-releases%2Fsdk
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/sdk/MAL-2026-6125.json"
indicators
{
"evidence_files": [
{
"sha256": "8f3a4845c967946366390aa717796f655eed96b06eb2e10dd18d72d8b499f656",
"tlsh": "7bf0abd6d2f9f5543133a4c9d61e0004a2a2f0c02385cec046afe1f66db2b182706ef8",
"path": "index.js"
},
{
"sha256": "f5e8622aaf5eb7f4dce5399ed51b820ec9c45cd5f129b497dfc26bcb6bb9c737",
"tlsh": "afc08c200900f13318c6ce710db2ce2906695c2f6390f5080b2b2014c1aabf3a4f6b8c",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-rNniRCuSzX7NAElbcD6Nik4WjU+f3EIPIBtXLh1+MFFjaWbBkDv3oNWSoVnrkgCw3CmCJDKJsAplFJNxuT913A==",
"sha1": "446f68145088f7774773b7d85320dcdffb82adbc"
},
"filename": "sdk-1.0.2.tgz"
}
]
}