-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js, causing index.js to run automatically on npm install. The script collects hostname, username, home directory, DNS servers, and the full package.json, and reads /etc/passwd and /etc/hosts (index.js:18), then HTTPS-POSTs the JSON payload to cp5uzinglyy3ifb8gvvgvq5qvh19p0dp.oastify.com (a Burp Collaborator out-of-band subdomain controlled by the attacker). Empty author/description fields and the generic bug-monorepo name are consistent with a dependency-confusion recon package targeting an internal namespace. Installing this package leaks host identity and sensitive system file contents to an attacker-controlled endpoint.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-23T21:53:55Z",
"versions": [
"3.1.94"
],
"sha256": "bdac6ea5e7530323f39451c43fc9e4693b30704a5f9e9287018c727a44c36a5d",
"id": "IN-MAL-2026-007383",
"source": "amazon-inspector",
"import_time": "2026-06-23T22:31:28.207528469Z"
}
]
}{
"evidence_files": [
{
"tlsh": "3c411199a2ca17330dd250c06a0c70852359fa777269e8d076cf43969f869f8b7226f3",
"sha256": "ccdd4129bddff8b06992b21c85a3a541a4bdf008d6f00cb5252dcc252387c14a",
"path": "index.js"
},
{
"tlsh": "f7d0a7304ea1553375c116920c2b949772618f2f04543c0863cf292c85ce3b798ff30d",
"sha256": "afdc2a55f1e788e26ecb3362af7222937ab658332826fc22becf6e43867bb558",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "00905432faa6a3cec56090e429181ef2171ac3af",
"sha512_sri": "sha512-lrhFdjjEkzV9Np6ZzcKl0ewzGPDFobymHFwxjhdUgBIXXtHxEm9eIdTNdeuTjUoPISArl160UJIwDdlBVrxXig=="
},
"filename": "bug-monorepo-3.1.94.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bug-monorepo/MAL-2026-6349.json"