{"id":"MAL-2026-10086","summary":"Malicious code in dl-pp-latm (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716)\nPackage dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.\n","modified":"2026-07-09T17:31:53.943647002Z","published":"2026-07-09T17:03:02Z","database_specific":{"malicious-packages-origins":[{"sha256":"e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716","modified_time":"2026-07-09T17:03:02Z","id":"IN-MAL-2026-009375","import_time":"2026-07-09T17:19:30.80729264Z","versions":["80.4.2"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dl-pp-latm/v/80.4.2"}],"affected":[{"package":{"name":"dl-pp-latm","ecosystem":"npm","purl":"pkg:npm/dl-pp-latm"},"versions":["80.4.2"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"dl-pp-latm-80.4.2.tgz","hashes":{"sha512_sri":"sha512-GErY71T3aJhA/iN4e7dhhAGjya+YmNbs+frbPQiFHkwUsODwz1w8ptwtZB1xnh6QnMxsOH6u9aXsbn7w29SVVA==","sha1":"2f08415098c1c436a3363ea25a98089761373f10"}}],"evidence_files":[{"path":"index.js","sha256":"372af57e73c6d36ea2deb9fcafe7469c3a09849ef18e9ff2b894ba8e8cca425b","tlsh":"b7413398445163608eb187d86911d40af6a6eb7731c487a5f9fe47c02fb36b420b2dbc"},{"path":"package.json","sha256":"21ff6f483981c8d7a11d2d40faae6c89704891f1886f493a50afb0aa93ae6d93","tlsh":"e7e026324c361a2329b006aa887ba956b2a08f3f10349c17b1bf092c91e323198de30d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dl-pp-latm/MAL-2026-10086.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}