-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and https, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"sha256": "2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64",
"source": "amazon-inspector",
"modified_time": "2026-06-23T20:18:45Z",
"import_time": "2026-06-23T20:48:30.883953523Z",
"id": "IN-MAL-2026-007358"
},
{
"versions": [
"1.0.2"
],
"sha256": "2c3f290ab3688b96b33d4e3f8d5695670d7737ba42a7c628aa246394e398ff9d",
"modified_time": "2026-07-01T20:37:55Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007889",
"import_time": "2026-07-01T21:04:20.255027868Z"
}
]
}{
"package_integrity": [
{
"filename": "triage-bot-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-hBSQh0nK9lIv4BFGLnmIjox3vnBB2edV7YwWwYffF6UstHWkzc9qtpj/IHrae0BeLPL2AtSz4WxzTZ9GYdtEOQ==",
"sha1": "7848cd16fa6eca8924ee63c5af2cf119a696e999"
}
}
],
"evidence_files": [
{
"sha256": "4eb5d9d3aa99d113bf92830dec579b22bd7dedbb3138a2c3c1116a6eb3bfb9a5",
"path": "index.js",
"tlsh": "9441259992c917330de110c06a0c70843359f9777159a9d076cf42d69f869f8b7726f3"
},
{
"sha256": "c94f4422ed886ac88f02604bd293efb6405b5e7079848b3c7ab8e48040cce473",
"path": "package.json",
"tlsh": "2ed0a9304e22a63325c106a24c2ba48773a18f2f08043c08a3cb182c81ce6b798ff31d"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/triage-bot/MAL-2026-6346.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]