MAL-2026-6521

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@carvana.authentication-flows/shared/MAL-2026-6521.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6521

Published

2026-06-26T14:36:29Z

Modified

2026-06-26T15:16:36.392458642Z

Summary

Malicious code in @carvana.authentication-flows/shared (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894)

package.json declares a preinstall hook (node index.js) that runs unconditionally on npm install. index.js imports child_process/os/https, collects host identifiers (os.hostname, os.userInfo, platform, arch, homedir, cwd) and shells out to whoami/id, then POSTs the collected JSON to a hardcoded Burp Collaborator subdomain at https://pleq9pugrugzr4zgyymazmnq0h68u4it.oastify.com/detox56. The package name also impersonates the Carvana org by using a . in the scope (@carvana.authentication-flows/shared), making carvana.authentication-flows a fake top-level npm scope rather than a Carvana-owned namespace. There is no legitimate functionality shipped; the package's sole effect on install is reconnaissance exfiltration to an attacker-controlled out-of-band server.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "19.2.1"
            ],
            "modified_time": "2026-06-26T14:36:29Z",
            "sha256": "78538bf70d1ebd3e4cd784d90b3961ea7966ce9b97e8124110374cad95c0b894",
            "id": "IN-MAL-2026-007608",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T14:59:21.404970519Z"
        }
    ]
}

References

https://www.npmjs.com/package/@carvana.authentication-flows/shared/v/19.2.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @carvana.authentication-flows/shared

Package

Name: @carvana.authentication-flows/shared; View open source insights on deps.dev
Purl: pkg:npm/%40carvana.authentication-flows%2Fshared

Affected ranges

Affected versions

19.*

19.2.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-U+TTgoHl5oDERgD+meQnLOZ6J2z5gIY9minqyqzmJv8ws3tW10y7CKEj+PCcDajYej1pRMPnrk5iUVuJl5NuXg==",
                "sha1": "334c51ef3b5ffd32c4738e36b75fabee4089c7cd"
            },
            "filename": "shared-19.2.1.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "515151c515f65a241ba7b8494a4f9402a327e103350aee59bfcc8340af9937c97f0bf2",
            "sha256": "9f851a66b1ef4cf2b6543e3b624dc281563a1b69ecf655d6d2eb18b54b5d222e"
        },
        {
            "path": "package.json",
            "tlsh": "48d05e348e616923a6c112b29c2b948673a19f6f04143c0867df682d91de777a8ff35d",
            "sha256": "af283088a4067e78c0dedb6c29a896e298d609863cbe5341d39e3fc729b66b1f"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@carvana.authentication-flows/shared/MAL-2026-6521.json"