MAL-2026-6184

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@qlab/component-intelligence/MAL-2026-6184.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6184

Published

2026-06-19T05:02:33Z

Modified

2026-06-19T05:31:48.526763797Z

Summary

Malicious code in @qlab/component-intelligence (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934)

package.json declares a preinstall hook ("preinstall": "node index.js") that fires automatically on npm install. index.js requires os, dns, https, querystring, and the package's own package.json, then collects the installer's hostname (os.hostname()), username (os.userInfo().username), home directory (os.homedir()), configured DNS servers (dns.getServers()), current working directory, and the full contents of package.json, and POSTs them via HTTPS to the hardcoded webhook https://eo1e4fhn1i67p8r.m.pipedream.net/. This is the canonical dependency-confusion / recon-beacon shape: host identifiers and internal package metadata leave the machine unconditionally at install time to an attacker-controlled endpoint, giving the attacker reconnaissance data on internal package names, corporate hostnames, and user identities to fuel follow-on supply-chain attacks.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "9ad49caeee790003270d74c5b17a58d0cef6f04d881efe83b0f6c7e11515e934",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:02:33Z",
            "id": "IN-MAL-2026-007053",
            "versions": [
                "2.0.6"
            ],
            "import_time": "2026-06-19T05:16:49.673638041Z"
        }
    ]
}

References

https://www.npmjs.com/package/@qlab/component-intelligence/v/2.0.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @qlab/component-intelligence

Package

Name: @qlab/component-intelligence; View open source insights on deps.dev
Purl: pkg:npm/%40qlab%2Fcomponent-intelligence

Affected ranges

Affected versions

2.*

2.0.6

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@qlab/component-intelligence/MAL-2026-6184.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a7e18272aee814e3f4f821b4b911ff6586a8ee7170087ebdb52d99f61d0e789a",
            "tlsh": "8811afd885e123600d7645c47899d00916aad737790e6ddcf5cc06d04f89abd60b3af5",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-zjkAaMsFeEqiE3wBWzihg8kfpCQvb8ZIsWqc2OUiubCbHhnvduS7LM4X87P7KIi8nknMOhJRm5PG//7XnhKT/g==",
                "sha1": "b4553f86de5b9418a4e20dcd0f4ab8f807b94a85"
            },
            "filename": "component-intelligence-2.0.6.tgz"
        }
    ]
}