MAL-2026-6297

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tree-sitter-forth/MAL-2026-6297.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6297
Published
2026-06-23T14:10:12Z
Modified
2026-06-23T14:31:20.566466202Z
Summary
Malicious code in tree-sitter-forth (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (16f52e13ffb66b20f7c3dca7022e8115dbce1f39264638d38b73d6488e4cbf27)

Package is a dependency-confusion lure: it claims version 9999.99.99 with description 'npm 404 error referenced in AlexanderBrevig/tree-sitter-forth', engineered to win resolution when an internal build references a non-existent public package of this name. index.js is a hollow re-export (module.exports = require('tree-sitter-forth')) while postinstall.js fires the actual payload. On npm install, postinstall.js collects host identity (os.hostname(), Node/OS versions, package name+version), probes 16 CI provider environment variables, harvests GitHub workflow/repo/owner env vars, and reads the configured npm registry URL, then POSTs the bundle as JSON to https://ddactic-lab.online/sc/beacon (postinstall.js:48). A DNS-exfil fallback encodes the package slug, CI label, and a hash into a subdomain of b.ddactic-lab.online (postinstall.js:62 dns.lookup(...b.ddactic-lab.online)) to bypass HTTP-blocking egress proxies. The leaked data — internal CI provider, private registry URL, GitHub repo/workflow names — is reconnaissance material for follow-on dependency-confusion attacks against the victim's internal infrastructure.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "16f52e13ffb66b20f7c3dca7022e8115dbce1f39264638d38b73d6488e4cbf27",
            "id": "IN-MAL-2026-007198",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T14:10:12Z",
            "versions": [
                "9999.99.99"
            ],
            "import_time": "2026-06-23T14:23:02.483914519Z"
        }
    ]
}
References
Credits

Affected packages

npm / tree-sitter-forth

Package

Name
tree-sitter-forth
View open source insights on deps.dev
Purl
pkg:npm/tree-sitter-forth

Affected ranges

Affected versions

9999.*
9999.99.99

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tree-sitter-forth/MAL-2026-6297.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "4324f56fae800d0b23676d8af07782ce438391d148add96817be6c5f30f8b082",
            "tlsh": "3b51d8664a98d2350ba126ddf853c4235dbbd05637d688f0b70d12621fc51ac0273bdf",
            "path": "postinstall.js"
        },
        {
            "sha256": "8b47d7f541163524ea1ffc62d2225c7e6784b74b396950b0d06f93ce0b47a951",
            "tlsh": "88f027d39c2187232de43b859827028667764c0b9188bc992397041c978f5bfa5bf599",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "tree-sitter-forth-9999.99.99.tgz",
            "hashes": {
                "sha1": "4e7f30296374d763852f6e6668c1535ef28b073e",
                "sha512_sri": "sha512-5ezIkmiRZDQ6wCn3iEwgDg24eUGRrdorgXJ2gw5X35b+xCpqaVqnV+S2wzWhXkYg7bT/UG2EKxLzVIyiXouM+w=="
            }
        }
    ]
}