{"id":"MAL-2026-10201","summary":"Malicious code in bugexploit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92)\npackage.json declares a `postinstall` script that runs `node index.js`. On `npm install`, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.\n","modified":"2026-07-12T21:01:54.087620893Z","published":"2026-07-12T20:45:28Z","database_specific":{"malicious-packages-origins":[{"sha256":"745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92","modified_time":"2026-07-12T20:45:28Z","versions":["99.9.9"],"import_time":"2026-07-12T20:48:33.354486684Z","source":"amazon-inspector","id":"IN-MAL-2026-009753"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bugexploit/v/99.9.9"}],"affected":[{"package":{"name":"bugexploit","ecosystem":"npm","purl":"pkg:npm/bugexploit"},"versions":["99.9.9"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","tlsh":"13f0ddf085b186604ffe51d4a04cbc1e2263e201b44fa990e5c443645fc5ae458f2de5","sha256":"66282b09f7caaa5bf5e8f452563b22bfb584809882a181a7ac1901e65a86d664"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-bblnHNtPANP4owGGw8+mneAdaLIh74uTWf1fSpjq4RtocBWtlc0Tes9mBoWVEE4QWFawEMeemaOoe43k7iYUXA==","sha1":"30f96c42e0b83c076e369f7553cf768d27da208a"},"filename":"bugexploit-99.9.9.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bugexploit/MAL-2026-10201.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}