MAL-2026-6550

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@k18n/creatormarketplace-admin-language/MAL-2026-6550.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6550
Published
2026-06-28T06:01:17Z
Modified
2026-07-08T17:16:50.597291640Z
Summary
Malicious code in @k18n/creatormarketplace-admin-language (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8)

Package claims the @k18n npm scope (used internally by Kuaishou) and publishes at version 99.0.0 — the canonical high-version dependency-confusion shape that causes internal builds resolving @k18n from public npm to pull this artifact. A preinstall script in index.js collects host identifiers (os.hostname(), os.userInfo().username, install directory, cwd, package version) and transmits them to c.adityasec.com over two channels: an HTTPS POST to https://c.adityasec.com/LdCdrTByhmflbwt5qFNisg and a DNS lookup of a hex-encoded subdomain under c.adityasec.com (DNS exfil fallback for hosts where outbound HTTPS is restricted). The lifecycle hook fires automatically on npm install with no consent. The package's own description self-labels this as a 'dependency confusion proof of concept,' but the cover-story label does not change the installer-side harm: any build host that resolves @k18n from the public registry leaks internal hostnames, usernames, and build paths to a third-party operator.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-28T06:01:17Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007696",
            "source": "amazon-inspector",
            "import_time": "2026-06-28T06:50:42.818797198Z",
            "sha256": "6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "modified_time": "2026-07-08T16:21:27Z",
            "id": "IN-MAL-2026-008078",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:28.829183185Z",
            "sha256": "c0179fff59fcd98ba528e9806c213bfd4d5a84650f2171ee07e38385f1457491",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "modified_time": "2026-07-08T16:21:55Z",
            "id": "IN-MAL-2026-008081",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:29.004316922Z",
            "sha256": "d6af95c8029bf9e5648dccc458f775b45988bf74f2b0dee8ffe66030b5ed04f1",
            "versions": [
                "99.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @k18n/creatormarketplace-admin-language

Package

Name
@k18n/creatormarketplace-admin-language
View open source insights on deps.dev
Purl
pkg:npm/%40k18n/creatormarketplace-admin-language

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

99.*
99.0.0
99.0.1
99.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "ab2116f0939450b025b545c0a4a5491122dbc77f7e1bfcf1b59802294f9eefd41364ba",
            "sha256": "ccb00bd9bfd7267264645159b028d65662a9c8085b38b4a82009207e66ae5122"
        },
        {
            "path": "package.json",
            "tlsh": "9ff0e1709c1464230dd911e148751545a175ce3b4d09ec6a67b6012c818feaa467e3ed",
            "sha256": "61184cc8bb745f03496f588ec6e4ed28a7261036f7080444cfabd7d9cb08a8d2"
        }
    ],
    "package_integrity": [
        {
            "filename": "creatormarketplace-admin-language-99.0.0.tgz",
            "hashes": {
                "sha1": "88aee6b16d2d27cbdea10f3c62fcc2ce59911d68",
                "sha512_sri": "sha512-4M1Z4VHztMAbjyFN2YRa+PFQZ6j43XPXws9Q48fkUf2KRzTkQSQ5UPu59HRmjKyqra6EJNXJTVNMyvwJr3yYUQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@k18n/creatormarketplace-admin-language/MAL-2026-6550.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]