MAL-2026-6991

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airkey-mfa-react/MAL-2026-6991.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6991
Published
2026-07-08T16:30:56Z
Modified
2026-07-08T17:46:44.964819695Z
Summary
Malicious code in airkey-mfa-react (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (03026bf6133183ffaba772b4b1f585bab0a42ab87823a0a2375a7f1cba08661e)

package.json declares a preinstall hook that runs index.js on npm install. index.js collects host and user identity data — hostname, platform, arch, home directory, username/uid/gid/shell, OS info, cwd, plus the output of whoami and id — and POSTs the JSON to a hardcoded Burp Collaborator-style OAST subdomain at s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package ships no library code matching its advertised MFA/React purpose; the install-time beacon is the package's only functional behavior. Empty author/description metadata and the mismatch between the package name and its contents are consistent with a dependency-confusion or namespace-squat placeholder targeting an internal package name.

Source: ossf-package-analysis (aabfcc531d8f0174d9ba67b4ff82625500d953dfa0016b3e7bd95df973d5509f)

The OpenSSF Package Analysis project identified 'airkey-mfa-react' @ 36.1.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T16:30:56Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-07-08T17:01:26.23242759Z",
            "sha256": "aabfcc531d8f0174d9ba67b4ff82625500d953dfa0016b3e7bd95df973d5509f",
            "versions": [
                "36.1.1"
            ]
        },
        {
            "modified_time": "2026-07-08T17:31:16Z",
            "id": "IN-MAL-2026-008173",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:20.029892364Z",
            "sha256": "03026bf6133183ffaba772b4b1f585bab0a42ab87823a0a2375a7f1cba08661e",
            "versions": [
                "20.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / airkey-mfa-react

Package

Affected ranges

Affected versions

20.*
20.0.1
36.*
36.1.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "airkey-mfa-react-20.0.1.tgz",
            "hashes": {
                "sha1": "a6bd164a56a490e40ff30f779d0dfcacba617be8",
                "sha512_sri": "sha512-No/49mPptnhlI2bn2Kl+I7nWVv0KgURwhpV4b9GWBhdz+3eDyqZm407yH0pMTU0bow40l5CBddwWZ6a5Ud1D0Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "3b5141c515f65a251ba7b8494a4f9402b227e0033606de55bfcc8740af9537c9bf0bf6",
            "sha256": "97807c86a507cbabc4bbb48a63d172bf5119a7cbf9b6e17284daf3146ca1cb78"
        },
        {
            "path": "package.json",
            "tlsh": "13d05e344d21652329c102a6082b948b72a18e2b14047c08a38b582c559e27798ff32d",
            "sha256": "8a539c996ca4a843a3ce4e4cc86a5aabc9777eb28ecf49a54a9f334a11ad0fea"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airkey-mfa-react/MAL-2026-6991.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]