{"id":"MAL-2026-10178","summary":"Malicious code in @broadpeak/smartlib-ad (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289)\npackage.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js loads child_process/os/https, runs `whoami` and `id`, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the `@broadpeak` scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.\n","modified":"2026-07-10T23:01:54.273583209Z","published":"2026-07-10T22:43:23Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289","modified_time":"2026-07-10T22:43:23Z","id":"IN-MAL-2026-009727","import_time":"2026-07-10T22:50:19.092147104Z","versions":["24.1.10"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@broadpeak/smartlib-ad/v/24.1.10"}],"affected":[{"package":{"name":"@broadpeak/smartlib-ad","ecosystem":"npm","purl":"pkg:npm/%40broadpeak/smartlib-ad"},"versions":["24.1.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@broadpeak/smartlib-ad/MAL-2026-10178.json","indicators":{"evidence_files":[{"tlsh":"24515fc505f69a291ba7b8494a4f9402b227e0033646de55bfcc8740af9537c9bf0bf2","path":"index.js","sha256":"8f8c3fdb9d25887f5261526b88affa83cedc58dfcdd4658d238ab1c27dc0a4f6"},{"path":"package.json","tlsh":"a2d05e344e21553339c22692182aa5467661cf2f04047c0563db582d518e27798ff71d","sha256":"03bf1a4818f0ed90787664df6f821dc0b5418660e2469707e9ab7a188309af63"}],"package_integrity":[{"filename":"smartlib-ad-24.1.10.tgz","hashes":{"sha512_sri":"sha512-XSRl5W1xCuzJxQB6YcUlkQnxtUCXLoKPw+jT24b4YE5NYNYQ0B+gUHSfuyrRW/TasUS1dEJOCspYugPuhof/SA==","sha1":"aab1dfbc34385f7f35ea3e784362860817786a8a"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}