MAL-2026-6986

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luminarycloudinternal/frodo/MAL-2026-6986.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6986
Published
2026-07-08T16:20:43Z
Modified
2026-07-08T17:16:50.659901255Z
Summary
Malicious code in @luminarycloudinternal/frodo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f)

Package published under a scope shadowing internal Luminary Cloud packages (@luminarycloudinternal) at version 9999.0.1 — the canonical dependency-confusion shape designed to win version resolution over a private internal package of the same name. On install, postinstall.js (line 8) performs an HTTPS GET to a hardcoded external host (poc-luminary-npm-1782987043.testingboxes.com) carrying installer-owned CI and host identifiers: GITHUBREPOSITORY, GITHUBSHA, GITHUBREF, GITHUBWORKFLOW, RUNNER_NAME, os.hostname(), and npm user-agent. When a build system misresolves the internal name to the public registry, this postinstall runs automatically and discloses internal repository, workflow, commit, and runner identifiers to a third-party endpoint. The package self-identifies as a Bugcrowd research canary, but self-labeling does not change the mechanism: installer-owned metadata leaves the machine at install time to a non-first-party destination via a namespace-squat.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T16:20:43Z",
            "id": "IN-MAL-2026-008073",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:28.45519839Z",
            "sha256": "58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f",
            "versions": [
                "9999.0.1"
            ]
        },
        {
            "sha256": "dd259558aaf77c18364c7c286e8e4d12cb6ea96c9b9b7bff8ef7bf1e05f750a4",
            "id": "IN-MAL-2026-008124",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:32.473422858Z",
            "modified_time": "2026-07-08T16:28:16Z",
            "versions": [
                "9999.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @luminarycloudinternal/frodo

Package

Name
@luminarycloudinternal/frodo
View open source insights on deps.dev
Purl
pkg:npm/%40luminarycloudinternal/frodo

Affected ranges

Affected versions

9999.*
9999.0.1
9999.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "tlsh": "a82140bb027e613528732994940ee044b673e1b64cd3a6b0b65ce2345f6c55e123e4fa",
            "sha256": "8e4869ca571995ed56830ca97e16655fd068d412c7cba638ee42ca9d52818eae"
        },
        {
            "path": "package.json",
            "tlsh": "2de0f157244063337cd466b35873b21d3929cb0e14da241843f701c81041ff38667aa9",
            "sha256": "4eca116a28737624320fee2335db082f77fbc5406b5773cdd06b249c96c5963f"
        }
    ],
    "package_integrity": [
        {
            "filename": "frodo-9999.0.1.tgz",
            "hashes": {
                "sha1": "c47d00df199db477d35768711bb6e050986d7bb3",
                "sha512_sri": "sha512-GcsV6QrXSOXNNRcY0Vu7ptCPzeoMw6XrGmg19MWyGXl+D1EILr7ZqEcSdb9syw2D3khsfGpkS3hIjBlB/N0U7w=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luminarycloudinternal/frodo/MAL-2026-6986.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]