{"id":"MAL-2025-5016","summary":"Malicious code in 0vulns-dependency-confusion-poc (npm)","details":"The package communicates with a domain associated with malicious activity.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3d282025fb2ec1b4012e3b979cec1f66520e643fcadfd2864e54989de50dd00d)\nThe package.json preinstall script runs `wget` against an attacker-controlled webhook.site URL, passing `$(whoami)`, `$(pwd)`, and `$(hostname)` as query parameters, executing automatically on `npm install`. This matches the npm-lifecycle-external-fetch and credential/telemetry exfiltration patterns (findings a static pattern match, a static pattern match, a static pattern match, a static pattern match, a static pattern match). the analysis confirms contextually that the script performs reconnaissance exfiltration to a non-registry collector, and config.unsafe-perm is set to ensure execution. the analysis further notes that the declared main entrypoint is missing and the tarball contains only package.json — the package exists solely to trigger the beacon, with no legitimate runtime functionality. Self-identification as a 'PoC' does not change the risk to an unintended installer (e.g., via dependency confusion).\n","modified":"2026-05-13T20:23:24.845001Z","published":"2025-06-12T17:49:59Z","database_specific":{"malicious-packages-origins":[{"sha256":"3d282025fb2ec1b4012e3b979cec1f66520e643fcadfd2864e54989de50dd00d","id":"IN-MAL-2026-002516","versions":["1.0.0"],"source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","import_time":"2026-05-13T20:10:59.478039662Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0vulns-dependency-confusion-poc/v/1.0.0"}],"affected":[{"package":{"name":"0vulns-dependency-confusion-poc","ecosystem":"npm","purl":"pkg:npm/0vulns-dependency-confusion-poc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"}]}],"versions":["1.0.0"],"database_specific":{"indicators":{"urls":["https://webhook.site/b8e1f97a-a6a9-4353-bb3b-e9eb416eb996?user=$(whoami"],"package_integrity":[{"hashes":{"sha1":"0ecb0bad360b07068f961dfc7368d0e82aaf81a2","sha512_sri":"sha512-AW9LFLvjvQqLBQVqDRlUgWn3NeLuTmEu99oJ4CFl2UMOFpGm+k5vVd/WtCqIozaiK+pv0H6hdyKK/o+Cdmuv+w=="},"filename":"0vulns-dependency-confusion-poc-1.0.0.tgz"}],"evidence_files":[{"sha256":"df25c9820813642beda96bfe9125ae273eb44b4dd28c6c8530c4325bef226dc1","path":"package.json","tlsh":"4101dd30a220bf2316c55ae11925022bf672fba795112d1cefa71118b32fde1107ca14"}],"domains":["webhook.site"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0vulns-dependency-confusion-poc/MAL-2025-5016.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}