MAL-2026-6709

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vega-lite-next/MAL-2026-6709.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6709
Published
2026-07-01T19:16:14Z
Modified
2026-07-01T20:16:47.885897533Z
Summary
Malicious code in vega-lite-next (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd)

Package name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares preinstall: node index.js. On npm install, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of whoami and id executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "19.2.1"
            ],
            "sha256": "8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T19:16:14Z",
            "id": "IN-MAL-2026-007875",
            "import_time": "2026-07-01T20:12:12.40132599Z"
        }
    ]
}
References
Credits

Affected packages

npm / vega-lite-next

Package

Affected ranges

Affected versions

19.*
19.2.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "vega-lite-next-19.2.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-YWd3sgyY3OBKWeSYg1AvVpX1taenLmMiExmlSIZY7kjzxKBHTtRcawrStlklibYm1M1oK4Hh0FxxBClLJm5plA==",
                "sha1": "65cf1aef6c27a72fd95cc73b23ad2e82f4cd3207"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "cdbd2760dbc11550f16b946a5235ea37a6e087d6a218afe61c4094176f415e41",
            "path": "index.js",
            "tlsh": "d95130c515f65a241ba7b8494a4f9402a327e1033509ee59bfcc8740af9937c97f0bf6"
        },
        {
            "sha256": "0e9905e7823ccf92b80fd5830f3411d633e6a7d29017309034f2f271a947c917",
            "path": "package.json",
            "tlsh": "dad05e244d22552325c102a2582b944772628e2f15143c0867cb582c918e37798fa35d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vega-lite-next/MAL-2026-6709.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]