-= Per source details. Do not edit below this line.=-
Package claims the @k18n npm scope (used internally by Kuaishou) and publishes at version 99.0.0 — the canonical high-version dependency-confusion shape that causes internal builds resolving @k18n from public npm to pull this artifact. A preinstall script in index.js collects host identifiers (os.hostname(), os.userInfo().username, install directory, cwd, package version) and transmits them to c.adityasec.com over two channels: an HTTPS POST to https://c.adityasec.com/LdCdrTByhmflbwt5qFNisg and a DNS lookup of a hex-encoded subdomain under c.adityasec.com (DNS exfil fallback for hosts where outbound HTTPS is restricted). The lifecycle hook fires automatically on npm install with no consent. The package's own description self-labels this as a 'dependency confusion proof of concept,' but the cover-story label does not change the installer-side harm: any build host that resolves @k18n from the public registry leaks internal hostnames, usernames, and build paths to a third-party operator.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-28T06:01:17Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007696",
"source": "amazon-inspector",
"import_time": "2026-06-28T06:50:42.818797198Z",
"sha256": "6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8",
"versions": [
"99.0.0"
]
},
{
"modified_time": "2026-07-08T16:21:27Z",
"id": "IN-MAL-2026-008078",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:28.829183185Z",
"sha256": "c0179fff59fcd98ba528e9806c213bfd4d5a84650f2171ee07e38385f1457491",
"versions": [
"99.0.1"
]
},
{
"modified_time": "2026-07-08T16:21:55Z",
"id": "IN-MAL-2026-008081",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:29.004316922Z",
"sha256": "d6af95c8029bf9e5648dccc458f775b45988bf74f2b0dee8ffe66030b5ed04f1",
"versions": [
"99.0.2"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "ab2116f0939450b025b545c0a4a5491122dbc77f7e1bfcf1b59802294f9eefd41364ba",
"sha256": "ccb00bd9bfd7267264645159b028d65662a9c8085b38b4a82009207e66ae5122"
},
{
"path": "package.json",
"tlsh": "9ff0e1709c1464230dd911e148751545a175ce3b4d09ec6a67b6012c818feaa467e3ed",
"sha256": "61184cc8bb745f03496f588ec6e4ed28a7261036f7080444cfabd7d9cb08a8d2"
}
],
"package_integrity": [
{
"filename": "creatormarketplace-admin-language-99.0.0.tgz",
"hashes": {
"sha1": "88aee6b16d2d27cbdea10f3c62fcc2ce59911d68",
"sha512_sri": "sha512-4M1Z4VHztMAbjyFN2YRa+PFQZ6j43XPXws9Q48fkUf2KRzTkQSQ5UPu59HRmjKyqra6EJNXJTVNMyvwJr3yYUQ=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@k18n/creatormarketplace-admin-language/MAL-2026-6550.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]