MAL-2026-919

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mds-webcomponents/MAL-2026-919.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-919
Published
2026-02-16T15:20:34Z
Modified
2026-06-10T19:31:29.091879672Z
Summary
Malicious code in mds-webcomponents (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e)

package.json declares preinstall: node index.js, which runs automatically on every npm install. index.js collects os.homedir(), os.hostname(), os.userInfo().username, dns.getServers(), the package name, __dirname, and the full package.json contents, then HTTPS POSTs them as a querystring msg=... parameter to 2mpf1804g4gnfnvuqqx3om0cw32vqlea.oastify.com — a Burp Collaborator (oastify.com) subdomain used as an out-of-band recon/exfiltration channel. The package provides no legitimate functionality; its only on-install effect is to leak installer host identity and project metadata to an attacker-controlled endpoint. This is the canonical dependency-confusion / red-team recon beacon shape.

Source: ossf-package-analysis (d35cd4fc7e553141b386ee1a6a68e45c41d5ae73d8e013beafd90f6dfc4b1afd)

The OpenSSF Package Analysis project identified 'mds-webcomponents' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-02-16T15:20:34Z",
            "source": "ossf-package-analysis",
            "import_time": "2026-02-16T15:47:33.56876671Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "d35cd4fc7e553141b386ee1a6a68e45c41d5ae73d8e013beafd90f6dfc4b1afd"
        },
        {
            "modified_time": "2026-02-23T03:51:30Z",
            "source": "amazon-inspector",
            "import_time": "2026-02-23T04:19:44.88544304Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "7f6007f508051582581cb5f52ff3494c5da6bb9ad1b6725fa6801b5c1b8e0825"
        },
        {
            "modified_time": "2026-06-10T18:43:27Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-10T19:23:48.94911186Z",
            "id": "IN-MAL-2026-005297",
            "versions": [
                "1.0.2"
            ],
            "sha256": "4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e"
        }
    ]
}
References
Credits

Affected packages

npm / mds-webcomponents

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "mds-webcomponents-1.0.2.tgz",
            "hashes": {
                "sha1": "9a5c7acf67e271e3cd2ced2cbe92ad66e65cae6c",
                "sha512_sri": "sha512-NZgzQXOUEB6o/JyOhNRnB3pYvD92GOn/s/l1aVcnYEckfmz1JQ8VANC+bPIJ5qOfObt7YA681LmGlq5HoY7Ftg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "3711bde8c2922360097989d0b8bdd04c16fee734b10e49e895cd07d547c2af410b39e1",
            "path": "index.js",
            "sha256": "7f93708b58a0ea2cf08690a1a9619f2c16deb2221be984d1dd765bdad139000c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mds-webcomponents/MAL-2026-919.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]