{"id":"MAL-2026-10459","summary":"Malicious code in connectedmerchantsserv (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf)\nThe package's `scripts.install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of `oob.sl4x0.xyz` prefixed with `paypal2` and issues `dns.resolve4` queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names (`os`, `dns`, `userInfo`, `username`, `hostname`, `cwd`) and the destination domain are hidden as char-code numeric arrays reconstructed via `String.fromCharCode` in `lib/b02e30.js` and `lib/6ad264.js` to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.\n","modified":"2026-07-13T18:16:56.563353484Z","published":"2026-07-13T17:37:46Z","database_specific":{"malicious-packages-origins":[{"versions":["9.9.11"],"id":"IN-MAL-2026-010271","import_time":"2026-07-13T18:10:12.475554015Z","modified_time":"2026-07-13T17:37:46Z","sha256":"834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/connectedmerchantsserv/v/9.9.11"}],"affected":[{"package":{"name":"connectedmerchantsserv","ecosystem":"npm","purl":"pkg:npm/connectedmerchantsserv"},"versions":["9.9.11"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"connectedmerchantsserv-9.9.11.tgz","hashes":{"sha1":"a8ed40359888ec818a98762b3be95cb288b0f6ff","sha512_sri":"sha512-aPFh9YNaxIKaKk/ndy8Wf7vdBNCERDEfdPZCJXCL+0mPi6uLx3jNKXogAaoiY/OdpwKIiWdK5tib0w6qQACQiQ=="}}],"evidence_files":[{"tlsh":"38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96","path":"lib/core.js","sha256":"397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4"},{"path":"lib/b02e30.js","sha256":"3daf2ec358d726df0db8f81464e0308fe7c96962198ec5f8d8878fe6334939df","tlsh":"9be068177347c94fa1880bf7b90060a0aa0d8f58a12dc0e6f928678500af443c0c0232"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/connectedmerchantsserv/MAL-2026-10459.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}