MAL-2026-6127

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/utils/MAL-2026-6127.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6127

Published

2026-06-18T16:15:26Z

Modified

2026-06-18T17:16:48.201356545Z

Summary

Malicious code in @onum-releases/utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8)

On require('@onum-releases/utils'), index.js reads os.hostname() and issues an HTTP GET to 'utils.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com', leaking the installer's hostname via DNS and HTTP to an out-of-band collaborator endpoint controlled by the package publisher. The beacon fires unconditionally on module load, so any consumer that imports the package exposes its host identifier to the attacker-controlled collaborator. The package.json description claims 'Security PoC placeholder - benign, no runtime payload', directly contradicting the shipped code. The scope '@onum-releases' impersonates the Onum vendor namespace, consistent with a dependency-confusion lure aimed at that organization's developers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "057e9534a55fd4068aaffb080224c08a14689dedbeb0737bda03a4c3bbc14a63",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:15:27Z",
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-007002",
            "import_time": "2026-06-18T17:08:47.550328116Z"
        },
        {
            "sha256": "887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:15:26Z",
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-007001",
            "import_time": "2026-06-18T17:08:47.431910813Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @onum-releases/utils

Package

Name: @onum-releases/utils; View open source insights on deps.dev
Purl: pkg:npm/%40onum-releases%2Futils

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/utils/MAL-2026-6127.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "17a8dbe1504773d6f3bbe29b27a7c2cde02b26c2c486887038bcdcba5fa89f85",
            "tlsh": "8ff0dce592b5f4507232a4c8d20e90096293e0802280ced0419ed0e05da1a681702ef8",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-VxYgIbqPKFaRFhZZxN+6vEK8mjmBkMzOfdYavryA4G/LaVVOVMNZ7Agv3KPk+jIX1GlXWHgs8MD4WVddAu373g==",
                "sha1": "97a07d7682334b9d831a20dff1fbe412df8128de"
            },
            "filename": "utils-1.0.1.tgz"
        }
    ]
}