MAL-2026-6337

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hunsterx-package/MAL-2026-6337.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6337

Published

2026-06-23T19:33:15Z

Modified

2026-06-23T19:46:24.033981098Z

Summary

Malicious code in hunsterx-package (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f)

preinstall.js executes a chain of eval(Buffer.from('<base64>','base64').toString()) payloads at npm install time. The decoded payloads collect host identity (os.hostname, os.userInfo, cwd, network interfaces), the full process.env (chunked over DNS if larger than 5KB), the contents of./.npmrc and ~/.npmrc, AWS EC2 instance-identity metadata fetched from IMDSv2 at 169.254.169.254 (account ID, region), and recursive reads of *.env / *.config / *.yaml / *.toml files in the working directory. All collected data is transmitted via https.get and dns.resolve to d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun (a project-discovery Interactsh out-of-band collaborator). postinstall.js additionally performs a DNS callback postinstall-<rand>.d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun to confirm both lifecycle phases ran. The base64+eval wrapping has no functional purpose other than evading static review. Installer impact: any developer or CI runner that performs npm install on this package leaks npm publish tokens (from.npmrc), full environment variables (commonly containing API keys, cloud credentials, and CI secrets), and AWS account/region identifiers to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f",
            "id": "IN-MAL-2026-007339",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T19:33:15Z",
            "versions": [
                "7.0.1"
            ],
            "import_time": "2026-06-23T19:40:41.43739557Z"
        }
    ]
}

References

https://www.npmjs.com/package/hunsterx-package/v/7.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / hunsterx-package

Package

Name: hunsterx-package; View open source insights on deps.dev
Purl: pkg:npm/hunsterx-package

Affected ranges

Affected versions

7.*

7.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hunsterx-package/MAL-2026-6337.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "39ae25d13298908a1878be76d11f578e23bed4a13b5934b8d2affb05b4b82b29",
            "tlsh": "1591d8b8bae539cf753555e51086799f823bb24131d3f0bac18a124f154cbd2f19137a",
            "path": "preinstall.js"
        },
        {
            "sha256": "54a8579e29bebd9f7c201dc46f98f052d23fb9b5151d2b05a44e38d7c7d0a88d",
            "tlsh": "31c0220c33c02ae809640bd4b082088e00028fa1a0a540e010aa1820108bb7478a3811",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "hunsterx-package-7.0.1.tgz",
            "hashes": {
                "sha1": "6ec6fc1366927885131ef9aeb82762fddd706819",
                "sha512_sri": "sha512-DuFgqQ8aDCaAVIVaBg/fuprOmWaurBn7GwBE6g7uXoYWcWORwXj30GfA6KFt22yozIzNzxSgwGWO/v5ZsQO8tQ=="
            }
        }
    ]
}