{"id":"MAL-2026-3724","summary":"Malicious code in @convera/ui-shared (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3fa0960816c1204042cecc61c5337e5db2c1407f5325cfc2ed26e43b5dc054d0)\nOn `npm install`, the package's `preinstall.js` collects `os.hostname()` and `os.userInfo().username` and sends them as query parameters (`/?hn=\u003chostname\u003e&un=\u003cusername\u003e`) via `https.request` to `am0f14nl6o1nqwrngbrq33amfdl496xv.oastify.com`, a Burp Collaborator subdomain. The package ships an empty `index.js` (`module.exports = {}`) and a `package.json` description identifying itself as a 'bug-bounty research placeholder — Convera', published under the `@convera/*` scope to match a private internal namespace. Any installer who resolves this name (accidental scope resolution, misconfigured registry, or a legitimate Convera dev pulling the public registry version) silently leaks host identifiers to a third-party Collaborator endpoint with no opt-in and no functional code in return. Regardless of the author's stated research intent, this is unauthorized data collection from every installer and a dependency-confusion attack surface against the Convera organization.\n\n## Source: ossf-package-analysis (647502d33492bf942a8b0bd468f7420ebca797820c7a47ac74c238c35ae08bff)\nThe OpenSSF Package Analysis project identified '@convera/ui-shared' @ 0.0.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-15T07:52:10.159530Z","published":"2026-05-14T08:44:28Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","sha256":"647502d33492bf942a8b0bd468f7420ebca797820c7a47ac74c238c35ae08bff","import_time":"2026-05-14T09:02:19.439009719Z","modified_time":"2026-05-14T08:44:28Z","versions":["0.0.2"]},{"source":"amazon-inspector","sha256":"271ce9a862ed30273cb6240b1332324bdfcff1d46c231cd197b94105aa8cf96f","import_time":"2026-05-15T07:37:19.580889406Z","id":"IN-MAL-2026-002775","modified_time":"2026-05-14T19:46:56Z","versions":["0.0.2"]},{"source":"amazon-inspector","sha256":"3fa0960816c1204042cecc61c5337e5db2c1407f5325cfc2ed26e43b5dc054d0","import_time":"2026-05-15T07:37:19.624369476Z","id":"IN-MAL-2026-002776","modified_time":"2026-05-14T19:47:10Z","versions":["0.0.3"]},{"source":"amazon-inspector","sha256":"4b8662e0a23d1d0110e235efc29c0716b04716640dc11185ecf727447c699667","import_time":"2026-05-15T07:37:18.262636197Z","id":"IN-MAL-2026-002725","modified_time":"2026-05-14T19:25:26Z","versions":["0.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@convera/ui-shared/v/0.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@convera/ui-shared/v/0.0.3"}],"affected":[{"package":{"name":"@convera/ui-shared","ecosystem":"npm","purl":"pkg:npm/%40convera/ui-shared"},"versions":["0.0.2","0.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@convera/ui-shared/MAL-2026-3724.json","indicators":{"evidence_files":[{"tlsh":"7cf0d47d12e0d230232110c4081b15216dabf65152c6c8c4931d06d8cdf21f57b53dbe","sha256":"f9c27070dd0c05c2738a5cb17b55f70600c1cdae8c407b84a9b48c7a277ddba8","path":"preinstall.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-7Nd+7Mv4kO2W6ZU240aucmdmMjoxbOsSvuSYn81k5KYYJ+8ciucpehYcy+kHaztaNp+S9aFG3GEwM8GYpCWFHw==","sha1":"b6243c476f0d789ffe7b513d72d4d5e9b0452a1d"},"filename":"ui-shared-0.0.2.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}