MAL-2026-6349

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bug-monorepo/MAL-2026-6349.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6349
Published
2026-06-23T21:53:55Z
Modified
2026-06-23T22:46:24.948340980Z
Summary
Malicious code in bug-monorepo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bdac6ea5e7530323f39451c43fc9e4693b30704a5f9e9287018c727a44c36a5d)

package.json declares preinstall: node index.js, causing index.js to run automatically on npm install. The script collects hostname, username, home directory, DNS servers, and the full package.json, and reads /etc/passwd and /etc/hosts (index.js:18), then HTTPS-POSTs the JSON payload to cp5uzinglyy3ifb8gvvgvq5qvh19p0dp.oastify.com (a Burp Collaborator out-of-band subdomain controlled by the attacker). Empty author/description fields and the generic bug-monorepo name are consistent with a dependency-confusion recon package targeting an internal namespace. Installing this package leaks host identity and sensitive system file contents to an attacker-controlled endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-23T21:53:55Z",
            "versions": [
                "3.1.94"
            ],
            "sha256": "bdac6ea5e7530323f39451c43fc9e4693b30704a5f9e9287018c727a44c36a5d",
            "id": "IN-MAL-2026-007383",
            "source": "amazon-inspector",
            "import_time": "2026-06-23T22:31:28.207528469Z"
        }
    ]
}
References
Credits

Affected packages

npm / bug-monorepo

Package

Affected ranges

Affected versions

3.*
3.1.94

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "3c411199a2ca17330dd250c06a0c70852359fa777269e8d076cf43969f869f8b7226f3",
            "sha256": "ccdd4129bddff8b06992b21c85a3a541a4bdf008d6f00cb5252dcc252387c14a",
            "path": "index.js"
        },
        {
            "tlsh": "f7d0a7304ea1553375c116920c2b949772618f2f04543c0863cf292c85ce3b798ff30d",
            "sha256": "afdc2a55f1e788e26ecb3362af7222937ab658332826fc22becf6e43867bb558",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "00905432faa6a3cec56090e429181ef2171ac3af",
                "sha512_sri": "sha512-lrhFdjjEkzV9Np6ZzcKl0ewzGPDFobymHFwxjhdUgBIXXtHxEm9eIdTNdeuTjUoPISArl160UJIwDdlBVrxXig=="
            },
            "filename": "bug-monorepo-3.1.94.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bug-monorepo/MAL-2026-6349.json"