MAL-2026-6577

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/int_sezzle_sfra/MAL-2026-6577.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6577

Published

2026-06-29T05:34:59Z

Modified

2026-06-29T07:16:43.966871358Z

Summary

Malicious code in int_sezzle_sfra (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d)

package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects host reconnaissance from the installer machine — hostname, OS info, username, uid/gid, shell, home directory, current working directory, and the output of whoami and id shelled out via child_process.exec — and POSTs the resulting JSON to a hardcoded Burp Collaborator OAST subdomain at https://1mopc72u2pqhsphbd3rmzirm9df43wrl.oastify.com/detox56. The package name mirrors the Salesforce Commerce Cloud (SFRA) cartridge naming convention used by Sezzle's internal int_sezzle_sfra integration cartridge; combined with empty author/description/license metadata and the install-time OAST beacon, this matches the canonical dependency-confusion pattern targeting a private vendor cartridge name. Installing this package causes unconsented exfiltration of installer identity and shell-command output to an attacker-controlled callback host.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-007749",
            "import_time": "2026-06-29T07:09:09.874548056Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:34:59Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "versions": [
                "25.2.1"
            ],
            "sha256": "16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d"
        }
    ]
}

References

https://www.npmjs.com/package/int_sezzle_sfra/v/25.2.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / int_sezzle_sfra

Package

Name: int_sezzle_sfra; View open source insights on deps.dev
Purl: pkg:npm/int_sezzle_sfra

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

25.*

25.2.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/int_sezzle_sfra/MAL-2026-6577.json"

indicators

{
    "package_integrity": [
        {
            "filename": "int_sezzle_sfra-25.2.1.tgz",
            "hashes": {
                "sha1": "4b7c5a1fc7b549a150b960020967952d93171848",
                "sha512_sri": "sha512-vLk6wNpDZaeba+gpuXb7CLpyUfbunHxdoinGja+OxQLQpDN+1hJRVFLDWAPOOxpLgqlli+7Y1US95r7yPBc+sA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "bb5152c515f65a241ba7b8494a4f9402a327e0033549ee55bfcc8740af9937c9bf0bf6",
            "path": "index.js",
            "sha256": "6df26231e805de45d3ac940af2c5fe0a7db4e99d7f1a82b476db05f10cf628ab"
        },
        {
            "tlsh": "f5d05e244e22592329c51656082a949a72619f2f04043c08a79f182c51ce27798ff35e",
            "sha256": "ae749e4ef426603267952da6368f1ca83bad71c7a73e689a45cf2822314083e4",
            "path": "package.json"
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]