MAL-2026-6480

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gx-npm-lib/MAL-2026-6480.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6480

Published

2026-06-25T22:30:08Z

Modified

2026-06-25T23:16:24.817879206Z

Summary

Malicious code in gx-npm-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e)

Package published at version 99.99.99 under a generic name (gx-npm-lib) — the canonical dependency-confusion shape used to overshadow internal packages in CI version resolution. The postinstall lifecycle script runs node beacon.js, which collects installer metadata (package name, os.hostname(), os.userInfo() username, process.cwd(), the names of process.env variables, and Node version) and exfiltrates it via two channels to the hardcoded attacker-controlled OAST domain d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me: (1) a DNS lookup encoding pkg.host.user as subdomains, and (2) a base64-encoded HTTPS GET to https://d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me/<pkg>?d=<base64>. The package self-describes as a 'security-research placeholder' for a dependency-confusion PoC, but that self-label does not constitute installer consent — npm install in any environment where this package resolves (CI for an internal gx-npm-lib, or a developer mistyping) leaks host/user/cwd/environment inventory to the attacker's OAST collector. Multi-channel (DNS + HTTPS+base64) exfiltration to a hardcoded interactsh-style domain on a default install is a textbook active supply-chain attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e",
            "id": "IN-MAL-2026-007560",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T22:30:08Z",
            "versions": [
                "99.99.99"
            ],
            "import_time": "2026-06-25T23:00:34.6160742Z"
        }
    ]
}

References

https://www.npmjs.com/package/gx-npm-lib/v/99.99.99

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / gx-npm-lib

Package

Name: gx-npm-lib; View open source insights on deps.dev
Purl: pkg:npm/gx-npm-lib

Affected ranges

Affected versions

99.*

99.99.99

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gx-npm-lib/MAL-2026-6480.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "8642a1b9117942eed77327a315389d97f652317c03f2506a9ee28793621af7b5",
            "tlsh": "2841879f99e8a12822f721f446af402526b3d2631358ddd0745ca3158f75db803d6cfe",
            "path": "beacon.js"
        },
        {
            "sha256": "f43dd7e027aca56b2f5dd3547f6f38df2e417061bdba6530ee0d848234f266fa",
            "tlsh": "92f0ac48f4146e7665e655e2183970c237314c4b9b10a949b69f80086b1dee703fb1aa",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "gx-npm-lib-99.99.99.tgz",
            "hashes": {
                "sha1": "f52f2ff07b0692fa4ad23c7182a3a3df03ff14b6",
                "sha512_sri": "sha512-pkF9XgdUnVdjNYbsn2ffbnywa+bABrrlHzqlECQFG/xcTDJhKTotDc+7nDApaa8xBBhWAeFyWQ48Mq+ZU29WFQ=="
            }
        }
    ]
}