MAL-2026-6697

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sudoughnym/enviro-demo/MAL-2026-6697.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6697
Published
2026-06-30T20:59:17Z
Modified
2026-06-30T21:46:46.888253277Z
Summary
Malicious code in @sudoughnym/enviro-demo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957)

@sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect host identifiers and environment metadata — os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count — and POST them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, a third-party webhook capture service not associated with the package's stated publisher. The package version (99.99.99) and its own description identify it as a dependency-confusion proof-of-concept targeting an internal enviro package name; the inflated semver is intended to outrank private-registry versions so internal build systems resolve to this public package. Installer harm: any build or developer machine that resolves to this version leaks host identity and environment-variable layout (which can include secret-bearing variable names) to an attacker-controlled endpoint on every install.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.99.99"
            ],
            "id": "IN-MAL-2026-007815",
            "modified_time": "2026-06-30T20:59:17Z",
            "import_time": "2026-06-30T21:35:49.848832693Z",
            "sha256": "02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @sudoughnym/enviro-demo

Package

Name
@sudoughnym/enviro-demo
View open source insights on deps.dev
Purl
pkg:npm/%40sudoughnym%2Fenviro-demo

Affected ranges

Affected versions

99.*
99.99.99

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sudoughnym/enviro-demo/MAL-2026-6697.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "enviro-demo-99.99.99.tgz",
            "hashes": {
                "sha1": "b18eadcb0f62b03b69c83d6e94d0e0ae59491bfb",
                "sha512_sri": "sha512-0edpnYwjpGQJbNmYw615jFEO+AmwNxe23cH6Briw61pX4lhkOO2+sBx+3GDWUwoZdHafgy6ZbdMT+rSDAZD/4Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "preinstall.js",
            "sha256": "03df4047f3aaa9c2cbbfd289053a748d9b5f82a4113ed142dc54f9a9f5529ad0",
            "tlsh": "202144d4e1e8661413b7b3e5e08b611a39b7c841974b7964f45883633fd5a2801729ed"
        },
        {
            "path": "package.json",
            "sha256": "57dca44a6dc5be90c2735bfc0ec5593f143634a523bbe7aaa4c23584d0a1f689",
            "tlsh": "e8e068704400eb33bcce4be9083380067bf94846ca64190863db808a138d17e87ff15a"
        }
    ]
}