{"id":"MAL-2026-10683","summary":"Malicious code in formatters.ts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (21827129edc8dbde114c615df656d5a234d1fbcfa5b9f63d5286d781253e8f2b)\nThe package declares a preinstall hook that runs index.js on npm install. index.js collects host and identity reconnaissance — os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release, memory, CPU count, and the output of the `whoami`, `id`, and `pwd` shell commands — and POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://y43nklho48nnebq8qpmw3ngha8gz4pse.oastify.com/detox56. The package name resembles a legitimate formatter/TypeScript module and ships with empty description/author metadata, consistent with a dependency-confusion typosquat lure whose sole purpose is the install-time beacon.\n","modified":"2026-07-15T16:49:27.568038986Z","published":"2026-07-15T15:38:41Z","database_specific":{"malicious-packages-origins":[{"sha256":"21827129edc8dbde114c615df656d5a234d1fbcfa5b9f63d5286d781253e8f2b","source":"amazon-inspector","versions":["14.2.1"],"id":"IN-MAL-2026-010679","import_time":"2026-07-15T16:34:35.997967786Z","modified_time":"2026-07-15T15:38:41Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/formatters.ts/v/14.2.1"}],"affected":[{"package":{"name":"formatters.ts","ecosystem":"npm","purl":"pkg:npm/formatters.ts"},"versions":["14.2.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"formatters.ts-14.2.1.tgz","hashes":{"sha1":"19b32d30c24b83b27cfca926859ae4720d72f9a6","sha512_sri":"sha512-RKVKC/EKD83uzjEitQalY/LWnVwF+jLyMfkZnWHW0x4MQtT1aoS4Qm6MhYRDKVuFjr6t++jfNz18XEG+9q4kNg=="}}],"evidence_files":[{"sha256":"d258314b1d0fd2121f4e1e06bced026bd7db4cb0b0c1a7ee081ed6106ae89a74","tlsh":"975130d515f66a241ba7b8494a4f9402a327e0033509ee55bfcc8740af9936c9bf0bf6","path":"index.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/formatters.ts/MAL-2026-10683.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}