{"id":"MAL-2026-10095","summary":"Malicious code in fury_frontend-andes-ui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37)\nThe package's postinstall hook auto-executes index.js on `npm install`. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.\n","modified":"2026-07-10T15:33:27.555975888Z","published":"2026-07-09T20:40:26Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.5"],"sha256":"29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37","source":"amazon-inspector","import_time":"2026-07-09T21:03:50.781166041Z","id":"IN-MAL-2026-009396","modified_time":"2026-07-09T20:40:26Z"},{"versions":["99.9.6"],"sha256":"b1aefe94fdc715e7ebd113a5ee7389e98dac714fdeae3df64fc0168d60325319","import_time":"2026-07-10T15:23:37.003792875Z","source":"amazon-inspector","id":"IN-MAL-2026-009612","modified_time":"2026-07-10T15:18:00Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/fury_frontend-andes-ui/v/99.9.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/fury_frontend-andes-ui/v/99.9.6"}],"affected":[{"package":{"name":"fury_frontend-andes-ui","ecosystem":"npm","purl":"pkg:npm/fury_frontend-andes-ui"},"versions":["99.9.5","99.9.6"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"5031109465f6611046b658d8108f88193529f003325edfc0fbed43d0afc6578e9b2edd","path":"index.js","sha256":"7bc8f8d3dfd900f28b5d7bff66f0985294a2a9e4048152f776f7e224c8ebf58c"},{"tlsh":"bbd0a7745c315a3378d456e60966640bb5619d1b0114780d5793245c92dea3748fd60f","path":"package.json","sha256":"808cf8d0f187084f88a685dfe6b07f948533e94c046c313a4b7ac075a6a69a30"}],"package_integrity":[{"hashes":{"sha1":"065e4280136fb4c7c6a1c5dfeec4dce69dc96f87","sha512_sri":"sha512-0bLkiPOsPNw1i5rFLin1fkul5fmZ7HoetDDhFp4EBUUfYIBsenXWsWrC5L8w4f+EEUslRItgGT7v7rASY9rzMw=="},"filename":"fury_frontend-andes-ui-99.9.5.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fury_frontend-andes-ui/MAL-2026-10095.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}