MAL-2026-6559
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lc-chatbot/MAL-2026-6559.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6559
- Published
- 2026-06-28T13:05:55Z
- Modified
- 2026-06-29T07:16:44.675956118Z
- Summary
- Malicious code in lc-chatbot (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606)
package.json declares both preinstall and postinstall scripts that run
node callback.js, so the callback fires automatically onnpm installwith no user interaction. callback.js collects identifying data from the installer's machine — os.hostname(), os.userInfo().username, process.cwd(), the consuming package name@version, and process.platform/arch — and transmits it to two attacker-controlled collectors: (1) a DNS lookup whose label is the hex-encoded hostname under a canarytokens.com subdomain, and (2) an HTTPS GET to https://eolxuw8fddeyjj8.m.pipedream.net carrying the collected fields as query parameters. The callback wraps all I/O in try/catch and forces process.exitCode=0, so the install completes silently even if the network call fails, hiding the beacon from the installer. The package self-describes as a dependency-confusion proof-of-concept, but the behavior is genuine install-time exfiltration of installer-identifying data and harms any machine that runsnpm install.Source: ossf-package-analysis (10b9ccdaec6709f86d79c1dec1b8fbfa87926dedbdc1e2355979308e7c516f3e)
The OpenSSF Package Analysis project identified 'lc-chatbot' @ 0.9.0-rc.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- Database specific
{ "malicious-packages-origins": [ { "source": "ossf-package-analysis", "sha256": "10b9ccdaec6709f86d79c1dec1b8fbfa87926dedbdc1e2355979308e7c516f3e", "import_time": "2026-06-28T13:36:05.411260521Z", "versions": [ "0.9.0-rc.0" ], "modified_time": "2026-06-28T13:05:55Z" }, { "import_time": "2026-06-29T07:09:09.42843666Z", "id": "IN-MAL-2026-007743", "source": "amazon-inspector", "modified_time": "2026-06-29T05:32:14Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ], "versions": [ "0.9.0-rc.0" ], "sha256": "81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / lc-chatbot
Package
- Name
- lc-chatbot
- View open source insights on deps.dev
- Purl
- pkg:npm/lc-chatbot
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lc-chatbot/MAL-2026-6559.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"filename": "lc-chatbot-0.9.0-rc.0.tgz",
"hashes": {
"sha1": "41f14c35c8cacde5bb997af29f4864386a631e02",
"sha512_sri": "sha512-E6cBS04zwWZqm+wUfWQ1Kg1rTXfSnJEKrVFVu3xaq1ckezTo94M7HPKIFKGPKkt4lf9oVZGwNnuaM/QGHc6I1A=="
}
}
],
"evidence_files": [
{
"tlsh": "024132665cb8502018a9f17a83af1216d5a3f3230bc9dfe0bc5de2509f70535025e9f4",
"path": "callback.js",
"sha256": "5552a7029e119325c9623ab04ba83ea9d73d793a75fdabae1a7a5a9929095d1d"
},
{
"tlsh": "3ee068384a238e232cf0bfd2083652562d614e878c08780502a7412882cd7f606ff27f",
"path": "package.json",
"sha256": "99663291c19bc4c45baa1dbd5225cf6beb7c352cece2a5f4bd2d9624d946bc23"
}
]
}