{"id":"MAL-2026-3748","summary":"Malicious code in @pelmnaads/naads-common-logger (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (68990dfacdc750bf464d646aca4855c2dd23bbefcadef1d9638e2d663a23fc57)\nThe package is published to the public npm registry under `@pelmnaads/naads-common-logger` with version `19999.0.1` — the canonical dependency-confusion pattern, where an abnormally high version is used to make npm's resolver prefer this public package over a private internal package of the same name. On `npm install`, a `preinstall` lifecycle script (preinstall.js:5-9) makes an HTTPS GET to `h5nvwrz2815ubw84cpkwhezm5db9z1nq.b.mburpcollab.com` with query parameters `package=\u003cnpm_package_name\u003e&hostname=\u003cos.hostname()\u003e`, transmitting the installer's hostname off-host to a Burp Collaborator out-of-band interaction endpoint. The README states this is an authorized security test, but the code path and effect on an unsuspecting installer are identical to a hostile dependency-confusion attack: build hosts silently disclose their identity to a third-party domain during `npm install`, with no opt-in. Any build system that resolves this package (e.g., an internal Pelmorex pipeline expecting the private `@pelmnaads/naads-common-logger`) would leak hostname data.\n","modified":"2026-05-15T07:52:27.205665Z","published":"2026-05-14T19:25:51Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-002766","source":"amazon-inspector","versions":["19999.0.1"],"modified_time":"2026-05-14T19:25:53Z","import_time":"2026-05-15T07:37:19.454275828Z","sha256":"2f25d490deb5c32e9675f7941c54e8e9c9c1c180adaf00de19e4bb2a10325c47"},{"id":"IN-MAL-2026-002763","source":"amazon-inspector","versions":["19999.0.1"],"modified_time":"2026-05-14T19:25:51Z","import_time":"2026-05-15T07:37:19.409978984Z","sha256":"68990dfacdc750bf464d646aca4855c2dd23bbefcadef1d9638e2d663a23fc57"},{"id":"IN-MAL-2026-002786","source":"amazon-inspector","versions":["19999.0.1"],"modified_time":"2026-05-15T00:04:56Z","import_time":"2026-05-15T07:37:19.946869887Z","sha256":"8e4fd2828e3ff35aa485baef1b289b8faa19386e1c5199cbddb213b844a57733"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@pelmnaads/naads-common-logger/v/19999.0.1"}],"affected":[{"package":{"name":"@pelmnaads/naads-common-logger","ecosystem":"npm","purl":"pkg:npm/%40pelmnaads/naads-common-logger"},"versions":["19999.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"beaf5d70084a3c99d3c125103ce3d27e9e553486","sha512_sri":"sha512-FzJ2y8GAG3og3Mggld5FreQatbt2KLubLqlCuQ68lKnbAIqo4lMr5kug5uHwNiAL/aN3nbAtPQihpl8z0EmR+g=="},"filename":"naads-common-logger-19999.0.1.tgz"}],"evidence_files":[{"sha256":"f953effaba2900cece999a0e4f06d5eb4ac614e490856715c678213d2cec8a6b","path":"preinstall.js","tlsh":"13e0f1f50171d72057f023c4e08ca50a1423d213748e59b0bacd13e29f854b86a96cf0"},{"sha256":"11f68af131ee9e697e4a07518447cc623810a3c8e314473f24a87745df66b91d","path":"package.json","tlsh":"80d022754c45da322ac803c2243f720921a9cbaa6000092c9adb700be381263082b148"}],"domains":["h5nvwrz2815ubw84cpkwhezm5db9z1nq.b.mburpcollab.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pelmnaads/naads-common-logger/MAL-2026-3748.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}