{"id":"MAL-2026-3684","summary":"Malicious code in @gusmano/reext (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8)\nThe npm preinstall lifecycle script (dist/scripts/preinstall.js, wired via package.json \"preinstall\": \"node./dist/scripts/preinstall.js\") reads the installer's ~/.gitconfig via iniparser.parseSync(home_dir+'/.gitconfig') and the OS username via os.userInfo().username, then issues an HTTPS GET to the hardcoded endpoint https://2tak.l.serverhost.name:1962/mobile/reext with osname, gitname, and gitemail supplied as query parameters. The code explicitly branches on `if (osname === 'xmarcgusmano') { server = 'http://localhost:1962' } else { server = 'https://2tak.l.serverhost.name:1962' }`, confirming that the remote-host path fires for every installer that is not the author's own machine — a deliberate exfiltration path gated by the author's own username. The destination is not a documented vendor endpoint; it is an author-controlled third-party host the installer did not opt into. Separately, dist/scripts/postinstall.js resolves `path.resolve(__dirname, '../../package.json')` (the consuming project's own package.json relative to node_modules/@gusmano/reext/dist/scripts/) and rewrites it, deleting scripts.dev/build/test/watch/coverage, the entire `scripts` key, `eslintConfig`, `devDependencies`, and `dependencies`, then rm -rf's several dist subfolders — destructive, unauthorized mutation of the installer's project files. The combination (silent install-time exfiltration of personal identity data to an author-controlled host plus destructive rewrite of the consumer's manifest) is unambiguously harmful to installers.\n","modified":"2026-05-13T20:22:37.637033Z","published":"2026-05-12T21:23:01Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.649312644Z","id":"IN-MAL-2026-002614","sha256":"054b16cbfefbf8db2833bc11292a221388ea6f846f479accff78585e1f2fa27a","modified_time":"2026-05-13T03:27:31Z","versions":["0.0.104"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.61484503Z","id":"IN-MAL-2026-002578","sha256":"3f9749ef494686a44f85606ca4b3f074373275808013fe9e59f1797bcca9b0fe","modified_time":"2026-05-12T23:03:17Z","versions":["0.0.166"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.576700937Z","id":"IN-MAL-2026-002590","sha256":"4e84657e6ccdec00cd4972691de05d04081c98b7e7734ff7b94688059e9ea502","modified_time":"2026-05-13T00:47:34Z","versions":["0.0.216"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:10:59.934468325Z","id":"IN-MAL-2026-002567","sha256":"4f0ba19a2a776ef66ddeb23ebec68f2d5adfc1ea203f8be9fa14dfdd9906099f","modified_time":"2026-05-12T21:23:50Z","versions":["0.0.150"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.520552294Z","id":"IN-MAL-2026-002577","sha256":"95b6cc3a3852fd4256b505e0f495070b12c74c2845ddb074ca10c2f976780783","modified_time":"2026-05-12T23:03:02Z","versions":["0.0.148"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.918777077Z","id":"IN-MAL-2026-002595","sha256":"2d48ef0582a31947906fbeaa4735eae0d3fb69cab51e118f28fc293c3fe2aafe","modified_time":"2026-05-13T01:14:42Z","versions":["0.0.218"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.118329974Z","id":"IN-MAL-2026-002571","sha256":"3c1869cfa68f4b777e7d2a65a1c002bbe6b69fd157dbec48f2c0c8244403b8f9","modified_time":"2026-05-12T21:58:26Z","versions":["0.0.197"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.82913543Z","id":"IN-MAL-2026-002593","sha256":"69da331d08f2262e165c6f05b979bf5862d21877627b226ce3018c30b312f4b7","modified_time":"2026-05-13T01:07:12Z","versions":["0.0.276"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.811403722Z","id":"IN-MAL-2026-002580","sha256":"7225ee364b6bf2e68d8f94df0f0fb8ff3212495a1f86a81cd95036add33b1297","modified_time":"2026-05-12T23:11:12Z","versions":["0.0.92"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.274678051Z","id":"IN-MAL-2026-002574","sha256":"8a5af26cfe6ec2086ff01bcd884e78204e9ebe556ab1149a276e4788f2e16b30","modified_time":"2026-05-12T22:10:21Z","versions":["0.0.98"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.899644618Z","id":"IN-MAL-2026-002581","sha256":"25cb2d1c27f93198a0c22c0d91516b40bdf72db5b27d7684fb693a1adf1b6d52","modified_time":"2026-05-12T23:16:22Z","versions":["0.0.317"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:10:59.830462978Z","id":"IN-MAL-2026-002565","sha256":"41da396e871fb4898617c8ee8c9862016e8327d344aa9ca92286cd08613960ed","modified_time":"2026-05-12T21:23:01Z","versions":["0.0.169"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.176429145Z","id":"IN-MAL-2026-002584","sha256":"5eb7e3818b728594ca78e7ee60ebbc307a572c55e2edc1736f3098b0bbe7858f","modified_time":"2026-05-13T00:18:09Z","versions":["0.0.209"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.770816091Z","id":"IN-MAL-2026-002592","sha256":"87c1df2138a5b8fc918fd76b3b12da6f03ad345b480fe582f03005a7511ff4fa","modified_time":"2026-05-13T01:05:07Z","versions":["0.0.250"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.714856167Z","id":"IN-MAL-2026-002579","sha256":"a7634086135630c5a74eb9c337cae198a015db1f42136a87f900fc3c8f2f4824","modified_time":"2026-05-12T23:10:54Z","versions":["0.0.236"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.020406465Z","id":"IN-MAL-2026-002569","sha256":"d565c09d7b68f3745a1c0545035718c847f53dd80f56a27f3074f97e8b65f9e9","modified_time":"2026-05-12T21:29:49Z","versions":["0.0.121"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.034587925Z","id":"IN-MAL-2026-002596","sha256":"903527699f939e76923ea5d5489cd0665e503d34875c63f0baa2d202f3c3998e","modified_time":"2026-05-13T01:14:57Z","versions":["0.0.198"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.402497285Z","id":"IN-MAL-2026-002588","sha256":"963bc7a7692aaa83951959252a82fbecd043a194a3c12444d625c7620ac36469","modified_time":"2026-05-13T00:46:38Z","versions":["0.0.128"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.161399496Z","id":"IN-MAL-2026-002599","sha256":"d8b09993dd148c1c48224b04bb240ae823586dad7e365ef187e9c33f9882cfe5","modified_time":"2026-05-13T01:23:26Z","versions":["0.0.190"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.267861091Z","id":"IN-MAL-2026-002609","sha256":"98f647eef993d1ceac73629adfc39a5689b98f0161c8c3f6019cff9272e553b6","modified_time":"2026-05-13T03:16:29Z","versions":["0.0.352"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.119063779Z","id":"IN-MAL-2026-002583","sha256":"bfcc3256d46cea7ccc02dbc0e50a9015c0940e2d22086de24264028d99b14a99","modified_time":"2026-05-13T00:02:31Z","versions":["0.0.223"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.633507992Z","id":"IN-MAL-2026-002591","sha256":"e6b616cdc46faca34ffe75e19ffdc3bbc2833a2e53c836f160cd6d5ec8bfcef5","modified_time":"2026-05-13T01:01:44Z","versions":["0.0.261"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.198406181Z","id":"IN-MAL-2026-002573","sha256":"1763e928ff0b87df04094d5bca515f3f2ec8463995334b4110e3e1f73853faff","modified_time":"2026-05-12T22:06:56Z","versions":["0.0.315"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.725217798Z","id":"IN-MAL-2026-002616","sha256":"9a642c1aa5d84d03416e8c3843b240ba0571769a46a0a31a92d608d2f23e28a2","modified_time":"2026-05-13T03:56:54Z","versions":["0.0.235"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.069327192Z","id":"IN-MAL-2026-002570","sha256":"ab27a2a93e92f11d66bff9eef79afedc03b4ead3c918ada268ded094776c373b","modified_time":"2026-05-12T21:53:38Z","versions":["0.0.251"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.325738467Z","id":"IN-MAL-2026-002586","sha256":"f8acda3286b967516c42f496d9ee65e9ec1a516fc6a4b3d39229f7af55c85093","modified_time":"2026-05-13T00:35:16Z","versions":["0.0.473"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.321459056Z","id":"IN-MAL-2026-002610","sha256":"14ec79ee9c39e64f5d26977a7c08fe71a46f3c1b67ce5c6e06fc4c1202f269cb","modified_time":"2026-05-13T03:19:25Z","versions":["0.0.358"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.223874766Z","id":"IN-MAL-2026-002601","sha256":"1ec70d753468edf1751ee01595c8a053c8d5dfc472480e3aa0c74384e025b830","modified_time":"2026-05-13T01:39:51Z","versions":["0.0.188"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.480974783Z","id":"IN-MAL-2026-002589","sha256":"28ab5771dc3ec13fc89f470d11d113f060102a6013ad8efd88a7e4e3474b6b61","modified_time":"2026-05-13T00:47:17Z","versions":["0.0.390"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:01.043710343Z","id":"IN-MAL-2026-002582","sha256":"498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8","modified_time":"2026-05-12T23:40:45Z","versions":["0.0.237"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:00.468326542Z","id":"IN-MAL-2026-002575","sha256":"93dad7200065f05081e2a92304855d3363c2b589a5c7957b7e6a361d527992de","modified_time":"2026-05-12T22:10:29Z","versions":["0.0.255"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.530248993Z","id":"IN-MAL-2026-002613","sha256":"0eeb28e0cfbeccaea95b07a1c2f192257c44bb8f851fcba9de2c9a8f1286acdf","modified_time":"2026-05-13T03:24:49Z","versions":["0.0.222"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:11:02.117381601Z","id":"IN-MAL-2026-002597","sha256":"2ab4ef352a13242ba01ac7d9d9b5f81af97ec18c9c97026bd9f7b20f743d4c9e","modified_time":"2026-05-13T01:19:08Z","versions":["0.0.324"]},{"source":"amazon-inspector","import_time":"2026-05-13T20:10:59.876603628Z","id":"IN-MAL-2026-002566","sha256":"2abe8240ad32db3f0f17d2d4bbeaec396bdc6dc540a0da1af69aa0dc62f16fcc","modified_time":"2026-05-12T21:23:02Z","versions":["0.0.346"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.104"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.166"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.216"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.150"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.148"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.218"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.197"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.276"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.92"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.98"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.317"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.169"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.209"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.250"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.236"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.121"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.198"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.128"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.190"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.352"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.223"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.261"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.315"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.235"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.251"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.473"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.358"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.188"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.390"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.237"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.255"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.222"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.324"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gusmano/reext/v/0.0.346"}],"affected":[{"package":{"name":"@gusmano/reext","ecosystem":"npm","purl":"pkg:npm/%40gusmano/reext"},"versions":["0.0.104","0.0.166","0.0.216","0.0.150","0.0.148","0.0.218","0.0.197","0.0.276","0.0.92","0.0.98","0.0.317","0.0.169","0.0.209","0.0.250","0.0.236","0.0.121","0.0.198","0.0.128","0.0.190","0.0.352","0.0.223","0.0.261","0.0.315","0.0.235","0.0.251","0.0.473","0.0.358","0.0.188","0.0.390","0.0.237","0.0.255","0.0.222","0.0.324","0.0.346"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gusmano/reext/MAL-2026-3684.json","indicators":{"evidence_files":[{"path":"dist/preinstall.js","sha256":"4241f7ad5530ea5781128d0fb5a0bf4acbfd80eb045672850baa9f36b2036e75","tlsh":"0f91c2458efc843b25677e48980e24173ea1bf21a3a9e714721d935b6be0d24d0636ff"},{"path":"dist/postinstall.js","sha256":"7dcc13f4ed548a976beafc70a07696f7bbd2a7261ad7ef1f98b77ee32026c812","tlsh":"0dd0a7151ed8633828940ed75c23000aa887c9007334b950809c4297138ad848a534f7"}],"package_integrity":[{"hashes":{"sha1":"8ff187952cdf3f3870efdc4b46265d823c527e2e","sha512_sri":"sha512-fSjnTk+S+nUF8PznFYubjV37zWw4tYUDsqu0aVw00ugp72Oc/UH+aYGcZLaC7Zb+UVOXGV2nU4D9sL1VqYUbAQ=="},"filename":"reext-0.0.104.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}