{"id":"MAL-2026-10084","summary":"Malicious code in conversionvaluemanager (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9)\nOn npm install, postinstall.js automatically runs and gathers installer-identifying data (os.hostname(), os.userInfo(), os.platform(), cwd, Node version, timestamp), then sends it as query-string parameters via plain-HTTP GET to a Burp Collaborator subdomain at aq4v2egelzh9n07h3l9d2b5mvd14pvdk.oastify.com/adjust-dep-confusion. The package.json description self-identifies as a dependency-confusion proof-of-concept (\"PoC - Dependency Confusion - Bug Bounty by ha4x0r\"), and the package name targets an internal/private package name. Any organization whose build misresolves to this public package leaks host, user, and environment identifiers to the third-party Collaborator endpoint on install. PoC/bug-bounty framing does not change the installer-side impact: the beacon fires on every install.\n","modified":"2026-07-09T17:31:59.302277481Z","published":"2026-07-09T17:00:59Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009360","import_time":"2026-07-09T17:19:28.960426558Z","source":"amazon-inspector","versions":["3.0.0"],"sha256":"21445a74cc1c4d33c89f1a7d8c357c79d5adb11cda135c813676b23c875418e9","modified_time":"2026-07-09T17:00:59Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/conversionvaluemanager/v/3.0.0"}],"affected":[{"package":{"name":"conversionvaluemanager","ecosystem":"npm","purl":"pkg:npm/conversionvaluemanager"},"versions":["3.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/conversionvaluemanager/MAL-2026-10084.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-v5eYv9MQ27vNNjFWjRJoadgOlE9Y9EPY7QVPzwaJ+5HfF9wovie2dWlmDCivObNOS0kDYFiiPSb4fsoayPz0JA==","sha1":"dd96a7ab22110ff8458ff5a10bfcca9e6eaead42"},"filename":"conversionvaluemanager-3.0.0.tgz"}],"evidence_files":[{"tlsh":"e7f0acf0a2a5ebb81974a7d0a26a080793bbd1057d5bbcd1daa940986b5c2a402b05f4","sha256":"dadaad150a1789aec709a78a41507ff0d88d2ab999dc6622e3574d9ea5f34b49","path":"postinstall.js"},{"tlsh":"dfd097240e62aa3378c50b860833500f27324e0b020c7c8c13e724a8229e3b74abf31f","sha256":"5c3b9e3047d939f4160b1a93994530150054fdc54004292ba8fa3e5287d5d6a2","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}