MAL-2026-6346

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/triage-bot/MAL-2026-6346.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6346
Published
2026-06-23T20:18:45Z
Modified
2026-07-01T21:16:41.920224643Z
Summary
Malicious code in triage-bot (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64)

package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and https, then collects hostname, username, home directory, DNS servers, current working directory, and package metadata, and reads the contents of /etc/passwd and /etc/hosts (index.js:18-19). The aggregated JSON is HTTPS POSTed to t3x60c96rz2gi7qxftonjplmmdsbg14q.oastify.com, a Burp Collaborator out-of-band-interaction subdomain controlled by the publisher. Package metadata is empty (author '', description '', ISC license) and the package ships no functional code — it exists solely as an install-time beacon, consistent with a dependency-confusion / pen-test harvest payload.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:18:45Z",
            "import_time": "2026-06-23T20:48:30.883953523Z",
            "id": "IN-MAL-2026-007358"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "2c3f290ab3688b96b33d4e3f8d5695670d7737ba42a7c628aa246394e398ff9d",
            "modified_time": "2026-07-01T20:37:55Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007889",
            "import_time": "2026-07-01T21:04:20.255027868Z"
        }
    ]
}
References
Credits

Affected packages

npm / triage-bot

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "triage-bot-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-hBSQh0nK9lIv4BFGLnmIjox3vnBB2edV7YwWwYffF6UstHWkzc9qtpj/IHrae0BeLPL2AtSz4WxzTZ9GYdtEOQ==",
                "sha1": "7848cd16fa6eca8924ee63c5af2cf119a696e999"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "4eb5d9d3aa99d113bf92830dec579b22bd7dedbb3138a2c3c1116a6eb3bfb9a5",
            "path": "index.js",
            "tlsh": "9441259992c917330de110c06a0c70843359f9777159a9d076cf42d69f869f8b7726f3"
        },
        {
            "sha256": "c94f4422ed886ac88f02604bd293efb6405b5e7079848b3c7ab8e48040cce473",
            "path": "package.json",
            "tlsh": "2ed0a9304e22a63325c106a24c2ba48773a18f2f08043c08a3cb182c81ce6b798ff31d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/triage-bot/MAL-2026-6346.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]