MAL-2026-6459
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-string-kit/MAL-2026-6459.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6459
- Published
- 2026-06-25T08:39:07Z
- Modified
- 2026-06-25T16:31:23.329666540Z
- Summary
- Malicious code in easy-string-kit (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803)
package.json declares a postinstall lifecycle script that automatically runs on npm install and executes roughly 25 curl POST requests harvesting cloud-instance identity and credential data from /data/* paths (ami-id, instance-id, iam/, identity-credentials/, public-keys/, security-groups, mac, hostname, local/public ipv4, etc.). Each value is sent over plain HTTP to http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/, a Burp Suite Collaborator out-of-band exfiltration host controlled by the attacker. The package advertises itself as 'a collection of handy string utility functions' but ships no string-utility code coupled to the install hook — only the exfiltration payload. Author, repository, bugs, and homepage fields are all empty strings, consistent with a disposable namespace-squat used to deliver an exfiltration payload (dependency-confusion / typosquat shape). Installing this package on any host — and especially on a cloud build agent — leaks IAM metadata, SSH public keys, and instance identity to an attacker-controlled collaborator endpoint.
Source: ossf-package-analysis (afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4)
The OpenSSF Package Analysis project identified 'easy-string-kit' @ 1.0.1 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.1" ], "modified_time": "2026-06-25T08:39:07Z", "sha256": "afb272eb6208527c57abc9ef604a3776dfdca057e5c9b16e524aa4703df623b4", "source": "ossf-package-analysis", "import_time": "2026-06-25T09:12:42.856065352Z" }, { "versions": [ "1.0.4" ], "modified_time": "2026-06-25T09:06:09Z", "sha256": "c55d7da68cef70d2fe31e80813b424d9dffc89df94655a004ad5b75164bd31ce", "source": "ossf-package-analysis", "import_time": "2026-06-25T09:12:42.979333164Z" }, { "versions": [ "1.0.5" ], "modified_time": "2026-06-25T09:10:57Z", "sha256": "f74efd21d4c8aa6f6f7ca656d1e95ce1ed8af540bec178c8dba68d18c100b58e", "source": "ossf-package-analysis", "import_time": "2026-06-25T09:12:43.095282184Z" }, { "versions": [ "1.0.8" ], "modified_time": "2026-06-25T09:45:51Z", "sha256": "782d491f535725c6f1d9094004d37fa1b859b51029af438489c43337ca6100c8", "source": "ossf-package-analysis", "import_time": "2026-06-25T10:28:39.629224177Z" }, { "versions": [ "1.0.6" ], "modified_time": "2026-06-25T09:15:47Z", "sha256": "b125035c3620d0661cf2f91de0406674fbfa03d2dbd9604bc4be06b2bf91da00", "source": "ossf-package-analysis", "import_time": "2026-06-25T10:28:39.535440527Z" }, { "versions": [ "1.0.7" ], "modified_time": "2026-06-25T16:10:36Z", "sha256": "4c8bf2d258e00356212c31be69265d92f7dce0d1d44d722b06fe44af794c3c05", "id": "IN-MAL-2026-007521", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.522701525Z" }, { "versions": [ "1.0.5" ], "modified_time": "2026-06-25T16:10:29Z", "sha256": "8cb77d96cfd133340395df1765df2426f8414d80158e62ee5832ab6d4a18e803", "id": "IN-MAL-2026-007515", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.111114444Z" }, { "versions": [ "1.0.8" ], "modified_time": "2026-06-25T16:10:28Z", "sha256": "996cfedfd2d4f07a054c81e53a6600f942c7191d1741cfbedc0ab5b3eeba80a2", "id": "IN-MAL-2026-007514", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.064106976Z" }, { "versions": [ "1.0.3" ], "modified_time": "2026-06-25T16:10:33Z", "sha256": "ac1d07cf8a31b279f0813624af49d302d733976816c312ddc5b5ae450e33f3fd", "id": "IN-MAL-2026-007518", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.335163234Z" }, { "versions": [ "1.0.4" ], "modified_time": "2026-06-25T16:10:32Z", "sha256": "b239d7d57b3db762c896e61f2ab9c2307258df820bf235c1580e0a4201e57cb5", "id": "IN-MAL-2026-007517", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.203919421Z" }, { "versions": [ "1.0.2" ], "modified_time": "2026-06-25T16:10:33Z", "sha256": "e0c51a3080a31d94680aa3ff7e8804fbc4eb3860b2b60e7e3d0efa2fc8bd1ebc", "id": "IN-MAL-2026-007519", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.398770274Z" }, { "versions": [ "1.0.6" ], "modified_time": "2026-06-25T16:10:26Z", "sha256": "0fbb31b7d499411ca75ce301e70f9fd70e92b962fed95967fadc2d21e434e0dc", "id": "IN-MAL-2026-007513", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.006717888Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-06-25T16:10:35Z", "sha256": "31e6843fcf9481d9bb7e803995a1710b8d325a7661a8cd8fff5ba6f4be6737a5", "id": "IN-MAL-2026-007520", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:40.4745967Z" } ] }- References
-
- https://www.npmjs.com/package/easy-string-kit/v/1.0.7
- https://www.npmjs.com/package/easy-string-kit/v/1.0.5
- https://www.npmjs.com/package/easy-string-kit/v/1.0.8
- https://www.npmjs.com/package/easy-string-kit/v/1.0.3
- https://www.npmjs.com/package/easy-string-kit/v/1.0.4
- https://www.npmjs.com/package/easy-string-kit/v/1.0.2
- https://www.npmjs.com/package/easy-string-kit/v/1.0.6
- https://www.npmjs.com/package/easy-string-kit/v/1.0.1
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / easy-string-kit
Package
- Name
- easy-string-kit
- View open source insights on deps.dev
- Purl
- pkg:npm/easy-string-kit
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "easy-string-kit-1.0.7.tgz",
"hashes": {
"sha512_sri": "sha512-cNRekItuFgRPtDdwb3nJPO7A/vnJtq6yl/dTprmQNHGvQDGhACo0KPuYpVDYqdKuEPlwU4FJ6+cSjZd0XLluOQ==",
"sha1": "590bd3e82b79a98f84c355e7bbebde0b97d722a2"
}
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "b301cb14c2205d3316d96a30b99b0643b0125e5b09143c1877c3812c0fbf76b90fe26d",
"sha256": "9d72c49c5130c93317fac6d857404086682bcc513b5b5457e0ba917f6d55973c"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-string-kit/MAL-2026-6459.json"