MAL-2026-6183

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@mep-exp/api-tools/MAL-2026-6183.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6183

Published

2026-06-19T05:03:19Z

Modified

2026-06-19T05:31:48.290360919Z

Summary

Malicious code in @mep-exp/api-tools (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555)

preinstall.js, registered as scripts.preinstall and also required from the main module and every bin entry, collects os.hostname(), os.userInfo().username, os.platform(), process.cwd(), and a timestamp and POSTs them as JSON to https://webhook.site/1ba25769-0f80-4429-a7d2-409af5fa5adc. The request runs unconditionally during npm install (preinstall lifecycle) and on every require/CLI invocation, with errors silently swallowed. The package scope (@mep-exp) and bin names (mesh-swagger-cli, mesh-exp-entitlements, mesh-exp-routes, mesh-exp-api-clients, etc.) impersonate an internal Westpac 'MEP Experience Platform' toolchain, and the exfil payload includes a note: "Westpac CT" marker — consistent with a dependency-confusion attack against that organization's internal namespace published on public npm. The package provides no legitimate functionality beyond the beacon.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "322089c1a58142401c82621aa778cdb7221086196cce6c879a703625b7013555",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:03:19Z",
            "id": "IN-MAL-2026-007054",
            "versions": [
                "2.0.3"
            ],
            "import_time": "2026-06-19T05:16:49.915689755Z"
        }
    ]
}

References

https://www.npmjs.com/package/@mep-exp/api-tools/v/2.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @mep-exp/api-tools

Package

Name: @mep-exp/api-tools; View open source insights on deps.dev
Purl: pkg:npm/%40mep-exp%2Fapi-tools

Affected ranges

Affected versions

2.*

2.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@mep-exp/api-tools/MAL-2026-6183.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "262b16adf1bace2120413f6a3025270b078db5dc743e40ea771aff18c8b5b623",
            "tlsh": "bd0110c9aaab97742bf4f3c0b180940593b2d308bc0315a776ba63ed2745ee44361f70",
            "path": "preinstall.js"
        },
        {
            "sha256": "04e781ef8158e77b2a810790fe85b2fb2c9dc1b4923b8773c8f0b57f577ccfbb",
            "tlsh": "0ff0123387e14eb725b8bb51b4936902b3f34e7f2151880ab3b9240d9ab059207cfb16",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-dD0OZMMpWFgrUrsjPNosWo1KXqh6GqcALX4GI29BwA41zvBnh3BijVonCn+CQF6Cq65lsSfj3cB1JTy4/Ti4CQ==",
                "sha1": "3e9864b9a7b6fe48f06ba8a2739989a77e8e71e0"
            },
            "filename": "api-tools-2.0.3.tgz"
        }
    ]
}