{"id":"MAL-2023-1111","summary":"Malicious code in afterpay-sdk-example-server (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7)\npackage.json declares a preinstall hook (\"preinstall\": \"node index.js\") that runs automatically on npm install. index.js requires os/fs/https, then collects host identifiers and installer-side files — __dirname, os.homedir(), os.hostname(), os.userInfo(), DNS servers, the full contents of /etc/passwd and /etc/hosts, and the package.json — and POSTs them over HTTPS to xqrangwae3pk5bd12xbr6t8q9hfc32rr.oastify.com (a Burp Collaborator OAST subdomain). The package name 'afterpay-sdk-example-server' impersonates an internal Afterpay SDK example, consistent with a dependency-confusion payload targeting Afterpay's internal build systems. Whether published as research or attack, any installer running npm install leaks system account data and host fingerprints to an attacker-controlled out-of-band collection endpoint.\n\n## Source: ossf-package-analysis (555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c)\nThe OpenSSF Package Analysis project identified 'afterpay-sdk-example-server' @ 20.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-24T03:31:23.592082470Z","published":"2023-05-03T01:37:43Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2023-05-03T01:37:43.254364445Z","sha256":"555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c","import_time":"2023-08-10T06:15:34.688464725Z","source":"ossf-package-analysis","versions":["20.0.0"]},{"id":"RLMA-2024-00311","sha256":"328b2a8f94905ee0b2cc82dfaf2bc08b91fc054f442ec204ff09f65a419a7167","modified_time":"2024-06-25T12:25:05Z","import_time":"2024-06-28T02:41:50.31797239Z","source":"reversing-labs","versions":["20.0.0"]},{"id":"IN-MAL-2026-007396","sha256":"a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7","modified_time":"2026-06-24T02:39:16Z","import_time":"2026-06-24T03:14:01.252380856Z","source":"amazon-inspector","versions":["1.2.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/afterpay-sdk-example-server/v/1.2.1"}],"affected":[{"package":{"name":"afterpay-sdk-example-server","ecosystem":"npm","purl":"pkg:npm/afterpay-sdk-example-server"},"versions":["20.0.0","1.2.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"dda06ca44061b7a005ca1500165416d1144f6edcfc156a1063ccd5b1f5632ac1","path":"index.js","tlsh":"3a41259592c917330dd110c0660c70812359fa777259d8d076cf42d6af869f8b7316f3"},{"sha256":"c22ab3825f9ec804d68cb62b820cf64dbec063fd77636063e684076559ad2f0f","path":"package.json","tlsh":"10d05e208e62953325c102aa0c2ba44673a18e2f14153c08a7cb192d818f67798ff35e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/afterpay-sdk-example-server/MAL-2023-1111.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}