MAL-2026-6569

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/longzy-basic-ui/MAL-2026-6569.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6569
Published
2026-06-29T04:37:18Z
Modified
2026-06-29T05:16:42.410591770Z
Summary
Malicious code in longzy-basic-ui (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (90336f7ef2177c75d9cf4a1872fe94504a382dfd1907e7617e0e06642f2dae67)

On npm install, the package's postinstall hook executes .prepare.cjs, which collects the installer's hostname, username, platform, Node version, non-internal network interfaces, npm registry, and a complete dump of process.env (every key except those prefixed npm_lifecycle), then HTTPS-POSTs the payload as a Lark/Feishu bot message to a hardcoded webhook on open.larksuite.com. The destination hostname is reversed and char-shifted by 7, and the webhook path is XOR-decoded with key Zk9x at runtime to hide the endpoint. Before sending, the script runs sandbox/honeypot evasion: char-code-decoded checks for AWS example credentials and honeypot tokens (PYPI_POISON_HONEY_TOKEN, PP_ARTIFACT_SHA256, THREAT_ANALYZER_MODEL, ASPECT_TLOG), sandbox env prefixes (SANDYCLAW_, OPENCLAW_, PERMISO_, CHAINRADAR_), hostname regex matching detonat|cuckoo|virus|scan|chainradar, and usernames such as sandbox and malware. The package's declared homepage/repository.url is an RFC1918 internal address (http://192.168.100.4:9088/app/lzy-basic-module.git) inconsistent with publishing to the public npm registry, and the stated purpose ("Support WoPet ui") is unrelated to the postinstall beacon. The combination of obfuscated author-controlled destination, full process.env exfiltration, and explicit sandbox evasion is unambiguous credential-theft malware.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-007726",
            "versions": [
                "2.0.3"
            ],
            "modified_time": "2026-06-29T04:37:18Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "source": "amazon-inspector",
            "sha256": "90336f7ef2177c75d9cf4a1872fe94504a382dfd1907e7617e0e06642f2dae67",
            "import_time": "2026-06-29T05:07:07.487500811Z"
        }
    ]
}
References
Credits

Affected packages

npm / longzy-basic-ui

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.0.3

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "longzy-basic-ui-2.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-I6YU7E+tlzQ4fXExqOC1Wg8FfAfeVC4bbE/OD34PuwDLyb9NQmruhqIh4ocw6MF/s9YmUqCC+NpQOkP0qEjWfA==",
                "sha1": "551c0892b495052470103a82daf3b6a5b5a48503"
            }
        }
    ],
    "evidence_files": [
        {
            "path": ".prepare.cjs",
            "sha256": "d17157828b17732d1577bf74528962b924d57f28f238f5df8fe3c31411ae84a4",
            "tlsh": "ade131ced3a11ae5ab5108a3841e750a58b8c1231d2d92d8bcd4c2d77ff5b7056aa3fc"
        },
        {
            "path": "package.json",
            "sha256": "6caba23a140e569c6b597b6cf4154704f838baaafd686a88d1cc382b26cddb47",
            "tlsh": "f111ed20ca704e7385dc59d478690083e226cc1b4c58bc0873fb461c1b6d97fa9bd22c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/longzy-basic-ui/MAL-2026-6569.json"