{"id":"MAL-2024-2779","summary":"Malicious code in oauth-connect (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b49c48193ba50bb4ead1e212925eab8873e7e4ad7fa834d41e7626bb4e5036f3)\npackage.json declares a `preinstall: node index.js` hook that fires automatically on `npm install`. index.js collects installer-side data — `os.hostname()`, `os.userInfo()`, home directory, DNS server configuration, the contents of `/etc/passwd` and `/etc/hosts`, and the contents of the consumer's `package.json` — then HTTPS POSTs the assembled JSON to `f3js0y9srl22itqjffo9jbl8mzswgm4b.oastify.com`, an attacker-controlled Burp Collaborator subdomain. The package's advertised purpose (an OAuth helper) bears no relationship to reading `/etc/passwd` or beaconing host identifiers off-machine. This is a reconnaissance / dependency-confusion exfiltration payload that runs unattended on every installer.\n","modified":"2026-06-23T22:46:23.593611709Z","published":"2024-06-25T12:53:40Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.1"],"modified_time":"2024-06-25T12:53:40Z","sha256":"58cdf77b0ce849d87a73b7b742c549d96a0e74a5083bbd5e7052cec96dcd6f75","import_time":"2024-06-28T02:44:12.934484377Z","source":"reversing-labs","id":"RLMA-2024-01484"},{"id":"RLUA-2024-07004","modified_time":"2024-10-16T13:08:36Z","sha256":"e9e13b3242147d53e64ad60318a7ab4e3dcf782f750149928912d60a5b8961cf","import_time":"2024-10-24T00:58:08.729509642Z","source":"reversing-labs"},{"versions":["0.1.1"],"modified_time":"2026-06-23T22:25:41Z","id":"IN-MAL-2026-007390","import_time":"2026-06-23T22:31:28.726727113Z","sha256":"b49c48193ba50bb4ead1e212925eab8873e7e4ad7fa834d41e7626bb4e5036f3","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/oauth-connect/v/0.1.1"}],"affected":[{"package":{"name":"oauth-connect","ecosystem":"npm","purl":"pkg:npm/oauth-connect"},"versions":["2.0.1","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oauth-connect/MAL-2024-2779.json","indicators":{"package_integrity":[{"filename":"oauth-connect-0.1.1.tgz","hashes":{"sha1":"c723bfe3fe202419a53e270b6f97007d59592ae4","sha512_sri":"sha512-VrJwoZPHzVKjz7CxEzkTDDSmYA0Z7GP+hh/vSTp648nBdkrarpTret3TgkTTKVLbqKOl78zYb4ltmcDuo71i7g=="}}],"evidence_files":[{"path":"index.js","sha256":"b98e6327b15b5885a437db2baa282eb78a85ff62c75a6a91dde7160ddd21ebb7","tlsh":"3c411395a2c917330dd210c06a0c70812359fa767259a9d076cf42969f869f8b7326f3"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}