MAL-2026-6126
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/shared-components/MAL-2026-6126.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6126
- Published
- 2026-06-18T16:15:24Z
- Modified
- 2026-06-18T17:16:48.046694511Z
- Summary
- Malicious code in @onum-releases/shared-components (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74)
On require()/import, index.js reads os.hostname() and issues an HTTP GET to 'shared-components.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/shared-components', leaking the installer's hostname out-of-band to an attacker-controlled Burp Collaborator subdomain. The package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload' but the shipped index.js contradicts that claim and actively beacons on every load. The @onum-releases scope combined with the generic 'shared-components' name is consistent with a dependency-confusion squat against an internal Onum private package; any build that resolves this public version executes the beacon and discloses the host identifier to a third party. Self-described 'PoC' framing does not neutralize the harm — the code performs real installer-side data exfiltration.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "54d6c83bc588b9f214e650e97872e9f38e4cbe4f907f99c9bc8887f4028f9d10", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:26Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-007000", "import_time": "2026-06-18T17:08:47.371789421Z" }, { "sha256": "9192c26fb53aefa13f0319128a366a226ac39ca7ffca4ff73c02c5ccd1919b19", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:24Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-006998", "import_time": "2026-06-18T17:08:47.196274525Z" }, { "sha256": "c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74", "source": "amazon-inspector", "modified_time": "2026-06-18T16:15:25Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-006999", "import_time": "2026-06-18T17:08:47.306795997Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @onum-releases/shared-components
Package
- Name
- @onum-releases/shared-components
- View open source insights on deps.dev
- Purl
- pkg:npm/%40onum-releases%2Fshared-components
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/shared-components/MAL-2026-6126.json"
indicators
{
"evidence_files": [
{
"sha256": "a2374834883f5c06ac34c557a9d3fa64c903464d30180b9b93ae8c7317a6738f",
"tlsh": "c2f0dcf9a2b5b4547132a4c9e21f680b63d3e0802682dec0429fd0e05ee2b282707df8",
"path": "index.js"
},
{
"sha256": "299d3a14bcdf0fa0291cfd9f8afb1cc8bed2523cc6dcb5dc94ac3b451d9471b3",
"tlsh": "0cc012300900e42714c5ca710d729e1617654c6b5681b5080717501481e67b364f779d",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-TWljJkubBMvok0kbYDXwg6vTsk2F6vmF/j/icdIDcG8p0ziY5bD1AW8kAN6O1r74wcAL20KUomNRw+ef/k6ZRg==",
"sha1": "4bed4113d7d96149075a50634875da0cd7135e8c"
},
"filename": "shared-components-1.0.1.tgz"
}
]
}