MAL-2026-6972

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vwfs-its/sf-sac-frontend/MAL-2026-6972.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6972
Published
2026-07-08T10:15:48Z
Modified
2026-07-09T16:31:55.998617850Z
Summary
Malicious code in @vwfs-its/sf-sac-frontend (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (41fd62df844e3fba17cb6200b0c9f2ce518a630677ed96f4cf0349b2a3eb7a3d)

On npm install, the package's preinstall hook (node index.js) collects installer host identity — hostname, OS user info, output of whoami and id, shell, home directory, platform, and current working directory — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://rsnchacyin4dnjv0oc8prrwn1e77vzjo.oastify.com/detox56. The package ships under an internal-looking scope (@vwfs-its) with empty author/description/license metadata and no functional code beyond the recon beacon, matching the shape of a targeted dependency-confusion attack: publish a public package that mirrors an internal name so that a misconfigured resolver in the target's build environment pulls the public copy and executes the payload during install.

Source: ossf-package-analysis (2e08b57aacea0c5dcc883413eddf7737e7a45fa2c21bd5381d4e80235b3ef182)

The OpenSSF Package Analysis project identified '@vwfs-its/sf-sac-frontend' @ 20.1.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "20.1.1"
            ],
            "sha256": "2e08b57aacea0c5dcc883413eddf7737e7a45fa2c21bd5381d4e80235b3ef182",
            "import_time": "2026-07-08T10:18:19.196233331Z",
            "modified_time": "2026-07-08T10:15:48Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "20.1.1"
            ],
            "id": "IN-MAL-2026-009105",
            "import_time": "2026-07-09T16:20:41.143819159Z",
            "modified_time": "2026-07-09T15:29:03Z",
            "sha256": "41fd62df844e3fba17cb6200b0c9f2ce518a630677ed96f4cf0349b2a3eb7a3d",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @vwfs-its/sf-sac-frontend

Package

Name
@vwfs-its/sf-sac-frontend
View open source insights on deps.dev
Purl
pkg:npm/%40vwfs-its/sf-sac-frontend

Affected ranges

Affected versions

20.*
20.1.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "175170d505f65a241ba7b8494a4f9002b227e0033606ee55bfdc8340af8837c9bf0bf6",
            "sha256": "54cc512c3973d1e03f71412df3c0149633838557fa1b4109fb50c6d808f4d097",
            "path": "index.js"
        },
        {
            "sha256": "7fae9272e81612a2bde42281e56717af3017cdb3db0931d47f7594d9dbe0bd6e",
            "tlsh": "afd05e344e21553365c242a60c2aa44b72a18e2b04147c08b3cb5c2c81de6b798ff35c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "sf-sac-frontend-20.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-vIM83+cP8i/UEZ1AcZBTWxwK0BY2Y3R8D2YoxpLdcdsVXjTXG2UBI/zIv5f7u173wKOZCrRbK1jOWKwXqlhGUg==",
                "sha1": "cb91d9fbe24e4a579521f39942689bf712d6edcf"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@vwfs-its/sf-sac-frontend/MAL-2026-6972.json"