{"id":"MAL-2026-1318","summary":"Malicious code in @web-monorepo/fetchers (npm)","details":"Package is malware. It exfiltrates data to a suspicious domain via callback.js, triggered by a preinstall script in package.json.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86)\nThe package @web-monorepo/fetchers was found to contain malicious code.\n","modified":"2026-03-23T05:39:22.566041Z","published":"2026-03-10T08:31:27Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-03-23T05:11:41Z","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"import_time":"2026-03-23T05:14:02.9604562Z","source":"amazon-inspector","sha256":"a3faaa666cb666785670b3a638b1f832d4492f7eb2c999f41f7bb551cde2aa86"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KK3ARTMK1RXWTT6A7T2KTKER"}],"affected":[{"package":{"name":"@web-monorepo/fetchers","ecosystem":"npm","purl":"pkg:npm/%40web-monorepo/fetchers"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@web-monorepo/fetchers/MAL-2026-1318.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}