{"id":"MAL-2026-10205","summary":"Malicious code in library-explorer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273)\npackage.json declares `preinstall: node index.js`. On `npm install`, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out `whoami` and (non-Windows) `id` via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.\n","modified":"2026-07-12T21:01:53.661194256Z","published":"2026-07-12T20:47:17Z","database_specific":{"malicious-packages-origins":[{"sha256":"28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273","versions":["25.2.1"],"modified_time":"2026-07-12T20:47:17Z","import_time":"2026-07-12T20:48:33.642381506Z","id":"IN-MAL-2026-009759","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/library-explorer/v/25.2.1"}],"affected":[{"package":{"name":"library-explorer","ecosystem":"npm","purl":"pkg:npm/library-explorer"},"versions":["25.2.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-pPRZb0SmChegNahUt4gyhtmrWHrwdyp+8MUM8WVJ/XNW76huybrE8o7u4k/JOqVNlxWMwjMlsIyJYJUP7hb50A==","sha1":"be274220fdd450b1cc65896fd7c2629df819ad7c"},"filename":"library-explorer-25.2.1.tgz"}],"evidence_files":[{"sha256":"4a33f8f2706676a92ea4c159f5cfb4253b36da86d2bb5672809e6419f554702b","path":"index.js","tlsh":"ca5130c515f655241b67a8494a4f9402a327e0033509de55bfcc8340af8937c97f0bf6"},{"sha256":"21f6e3dffa7719b18e1eb0968fe4d98328260c493183d7ccc627e1dac3f4b430","path":"package.json","tlsh":"64d05e244e21553365c10252082b958672628e2b04043c08a7db182c61ce27b98ff35d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/library-explorer/MAL-2026-10205.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}