{"id":"MAL-2025-5455","summary":"Malicious code in red-bull-venue-tools (npm)","details":"The package communicates with a domain associated with malicious activity.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b)\npackage.json declares preinstall=`node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), `whoami` and `id` shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every `npm install` of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.\n","modified":"2026-07-08T21:46:51.747088544Z","published":"2025-06-22T15:32:21Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-008599","sha256":"3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b","versions":["19.2.1"],"modified_time":"2026-07-08T20:34:16Z","import_time":"2026-07-08T21:27:49.425518565Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/red-bull-venue-tools/v/19.2.1"}],"affected":[{"package":{"name":"red-bull-venue-tools","ecosystem":"npm","purl":"pkg:npm/red-bull-venue-tools"},"ranges":[{"type":"SEMVER","events":[{"introduced":"9.9.9"}]}],"versions":["19.2.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/red-bull-venue-tools/MAL-2025-5455.json","indicators":{"package_integrity":[{"filename":"red-bull-venue-tools-19.2.1.tgz","hashes":{"sha1":"c2a716b21f1feea01f6fe8180711fe10f27db350","sha512_sri":"sha512-hEcbw1tdo0ddRdza5P1/mrM6igy/fBX0ZZHc5dZtCDXh1CL5wVHVUHmnZjW6YeeFtuTSY3Gt55vWVK4MM0t1jQ=="}}],"evidence_files":[{"path":"index.js","sha256":"5ad438bc2656321332a7ab460fc3349900ad58f51ef9394cfb9a53a3b6e6703f","tlsh":"525140c516f65a251ba7b8494a4f9002a327e0033509ee55bfcc8340af9937c9bf0bf6"},{"path":"i","sha256":"5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a","tlsh":"d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}