{"id":"MAL-2026-10179","summary":"Malicious code in @uwr/colors (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (91240d8fb55b7ed4730a41f3a334c633bf1a03afb649fd473cad0c0a25312847)\nThe package's postinstall script reads the installer's machine hostname via os.hostname() and performs a DNS lookup of `\u003chostname\u003e.0ab1mctv5xigbskwtfusp77dj4pvdx1m.oastify.com`, leaking the hostname to a Burp Suite Collaborator subdomain at `npm install` time without consent. oastify.com is the Burp Collaborator service, commonly used by attackers as an out-of-band data-exfiltration channel. The package's advertised functionality is a trivial 5-entry frozen color constants map under the unscoped-looking @uwr scope (\"colors for the unified workflow runtime\") with an empty author field, consistent with a dependency-confusion / reconnaissance probe staged against an internal namespace rather than a legitimate library.\n","modified":"2026-07-10T23:01:54.335651718Z","published":"2026-07-10T22:43:45Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T22:50:19.341835068Z","sha256":"91240d8fb55b7ed4730a41f3a334c633bf1a03afb649fd473cad0c0a25312847","modified_time":"2026-07-10T22:43:45Z","id":"IN-MAL-2026-009729","source":"amazon-inspector","versions":["1.3.6"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@uwr/colors/v/1.3.6"}],"affected":[{"package":{"name":"@uwr/colors","ecosystem":"npm","purl":"pkg:npm/%40uwr/colors"},"versions":["1.3.6"],"database_specific":{"indicators":{"package_integrity":[{"filename":"colors-1.3.6.tgz","hashes":{"sha1":"641fdc8894e11626444aeaf4b44ae972feadffd0","sha512_sri":"sha512-MkiepX7ZYdReFILGGhdYPMJc+aPTNwnjEPKM+NMyuS1XvFQNBHX2ofLP5akNnoVcowu8xvThyW4w+LrhwJhKCA=="}}],"evidence_files":[{"tlsh":"bbf0ac4d38e329455f5258ec204fb82d751ddea7b09dc088ba8d0ae08f5223859b6a8c","sha256":"dc3cb96ca7208aef0ff019fa4492cb70385891ad75b63127dbf93b93288ca45f","path":"scripts/postinstall.js"},{"tlsh":"00f08b15cab00e3324c8ab2f2c2b8157b6618c9701587d1633c7026c0f8e66b28ff2ad","sha256":"6fd37fc8898a9df4434b6537800e3bbe1d5211e6adbe1cd6d43e6be4a5aab63c","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@uwr/colors/MAL-2026-10179.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}