-= Per source details. Do not edit below this line.=-
Package published under a scope shadowing internal Luminary Cloud packages (@luminarycloudinternal) at version 9999.0.1 — the canonical dependency-confusion shape designed to win version resolution over a private internal package of the same name. On install, postinstall.js (line 8) performs an HTTPS GET to a hardcoded external host (poc-luminary-npm-1782987043.testingboxes.com) carrying installer-owned CI and host identifiers: GITHUBREPOSITORY, GITHUBSHA, GITHUBREF, GITHUBWORKFLOW, RUNNER_NAME, os.hostname(), and npm user-agent. When a build system misresolves the internal name to the public registry, this postinstall runs automatically and discloses internal repository, workflow, commit, and runner identifiers to a third-party endpoint. The package self-identifies as a Bugcrowd research canary, but self-labeling does not change the mechanism: installer-owned metadata leaves the machine at install time to a non-first-party destination via a namespace-squat.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T16:20:43Z",
"id": "IN-MAL-2026-008073",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:28.45519839Z",
"sha256": "58ed68e675b2b6cde30e6b7c8e34077eda805a4bde64ca7cd2c68c6f4370ee5f",
"versions": [
"9999.0.1"
]
},
{
"sha256": "dd259558aaf77c18364c7c286e8e4d12cb6ea96c9b9b7bff8ef7bf1e05f750a4",
"id": "IN-MAL-2026-008124",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:32.473422858Z",
"modified_time": "2026-07-08T16:28:16Z",
"versions": [
"9999.0.2"
]
}
]
}{
"evidence_files": [
{
"path": "postinstall.js",
"tlsh": "a82140bb027e613528732994940ee044b673e1b64cd3a6b0b65ce2345f6c55e123e4fa",
"sha256": "8e4869ca571995ed56830ca97e16655fd068d412c7cba638ee42ca9d52818eae"
},
{
"path": "package.json",
"tlsh": "2de0f157244063337cd466b35873b21d3929cb0e14da241843f701c81041ff38667aa9",
"sha256": "4eca116a28737624320fee2335db082f77fbc5406b5773cdd06b249c96c5963f"
}
],
"package_integrity": [
{
"filename": "frodo-9999.0.1.tgz",
"hashes": {
"sha1": "c47d00df199db477d35768711bb6e050986d7bb3",
"sha512_sri": "sha512-GcsV6QrXSOXNNRcY0Vu7ptCPzeoMw6XrGmg19MWyGXl+D1EILr7ZqEcSdb9syw2D3khsfGpkS3hIjBlB/N0U7w=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luminarycloudinternal/frodo/MAL-2026-6986.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]