MAL-2026-6292
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@outmarket/utils/MAL-2026-6292.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6292
- Published
- 2026-06-23T14:12:09Z
- Modified
- 2026-06-23T22:46:24.273516714Z
- Summary
- Malicious code in @outmarket/utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0)
package.json declares a postinstall lifecycle script that fires automatically on
npm install. The inlinenode -epayload uses hex-encoded property names (\x6f\x73foros,\x68\x6f\x73\x74\x6e\x61\x6d\x65forhostname,\x75\x73\x65\x72\x49\x6e\x66\x6fforuserInfo) to obscure that it readsos.hostname()andos.userInfo().username, then issues an HTTP GET tohttp://208.87.128.25:8888/?h=<hostname>&u=<username>. The destination is a bare IPv4 over cleartext HTTP — not a publisher domain or known infrastructure. The package is published under the@outmarketscope with a description identifying it as a dependency-confusion proof-of-concept, but the on-install behavior is indistinguishable from a real dependency-confusion beacon: any installer who resolves this public package in place of an internal@outmarket/utilswill leak host identity to the hardcoded endpoint. Hex obfuscation of standard Node API names is evasion, not a legitimate engineering choice. - Database specific
{ "malicious-packages-origins": [ { "sha256": "09e0002479ff6c431a5c5bfe6971f2acd915245afac8075caf15023d52428b8f", "import_time": "2026-06-23T14:23:03.39021976Z", "source": "amazon-inspector", "modified_time": "2026-06-23T14:12:09Z", "versions": [ "9.9.9" ], "id": "IN-MAL-2026-007206" }, { "sha256": "2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0", "import_time": "2026-06-23T14:23:03.606609157Z", "source": "amazon-inspector", "modified_time": "2026-06-23T14:12:15Z", "versions": [ "9.9.10" ], "id": "IN-MAL-2026-007208" }, { "sha256": "528f0f362b90e8b662e0bb0ca5a6620989560b97f74d9dd064a02cb1c7314bf4", "id": "IN-MAL-2026-007378", "source": "amazon-inspector", "modified_time": "2026-06-23T21:46:24Z", "versions": [ "9.9.11" ], "import_time": "2026-06-23T22:31:27.784954754Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @outmarket/utils
Package
- Name
- @outmarket/utils
- View open source insights on deps.dev
- Purl
- pkg:npm/%40outmarket%2Futils
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@outmarket/utils/MAL-2026-6292.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "240b3e2b3ac75c7c8843ada46a18cd725a4bb231cc2532f56a892a7b982f0a86",
"tlsh": "08e068b449fcfa7238c409d614722908b0b3d9651018ec01a7a312889a986fbaea753e",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "utils-9.9.11.tgz",
"hashes": {
"sha1": "4b0af2f0613b19afb7feb5eb8688a30a67c9c9df",
"sha512_sri": "sha512-61wJLz/GgFNKdPqfpInoISzCNf4yrkVoGPupD9cCXiQbIShv1x1VOQtMnSrgdVofMavP4nhbSz2VArYTiEeQuQ=="
}
}
]
}