MAL-2026-6132

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metavu/MAL-2026-6132.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6132

Published

2026-06-18T15:56:00Z

Modified

2026-06-18T17:16:46.110873750Z

Summary

Malicious code in metavu (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home directory, username/uid/gid/shell, OS details, the output of whoami and id, and the current working directory, then POSTs the JSON payload to a hardcoded collector URL https://webhook.site/4f54203c-996c-4f52-b136-ef9b1fd0f64d/detox56 (index.js:7, index.js:108). The package has no functional code — empty author, empty description, and a bizarre version string 99.21.1-1.21.199 consistent with a throwaway dependency-confusion / recon probe. Installing this package leaks installer identity and host fingerprint to an attacker-controlled collector, enabling targeted follow-on attacks against the developer or build environment.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b831ebbecee413d046d8e4ed8d9b21c3d2a6e4b71350c714535eeefaeccb1a6a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:41Z",
            "versions": [
                "99.21.1-1.21.127"
            ],
            "id": "IN-MAL-2026-006982",
            "import_time": "2026-06-18T17:08:46.028579343Z"
        },
        {
            "sha256": "fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:00Z",
            "versions": [
                "99.21.1-1.21.199"
            ],
            "id": "IN-MAL-2026-006977",
            "import_time": "2026-06-18T17:08:45.686378256Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / metavu

Package

Name: metavu; View open source insights on deps.dev
Purl: pkg:npm/metavu

Affected ranges

Affected versions

99.*

99.21.1-1.21.127

99.21.1-1.21.199

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/metavu/MAL-2026-6132.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "c56083dad3b306e1f094b5514f052668bd8e3d923cf50191c4cfb4f6015436d3",
            "tlsh": "0d5152c516fa5a241b67b8494a4f9402a327e0033505ee59bfdc8740af9937c97f0bf6",
            "path": "index.js"
        },
        {
            "sha256": "529efd6afea2f828125e65ca6b26926f790c56752040c616e30eefe4ea811b39",
            "tlsh": "cad0a7305e2155332ad502a60c2b989772a18f2f14053c08a7db582c81df677acff34d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Rnx75fDJ6Pl074JL/vovqi/6iw52kn58of4IN0MdQwuJm84An4HKU43AfIFnnBaIkym7w45A0OrhWb94qhD+Sg==",
                "sha1": "78a198d67f9437268fa381e6961f01992dd89439"
            },
            "filename": "metavu-99.21.1-1.21.127.tgz"
        }
    ]
}