{"id":"MAL-2026-3749","summary":"Malicious code in @webapp-next/store (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cbad3803cdda40845fe2aa64e0963b9293f9ee523b3f9205a354da2ae1e317bf)\npackage.json declares \"preinstall\": \"node index.js\", which runs automatically on npm install. index.js collects os.hostname(), os.platform(), os.arch(), os.homedir(), os.userInfo() (username, uid, gid, shell), OS release/memory/CPU info, process.cwd(), and the output of shell commands `whoami` and `id`, then POSTs the aggregated JSON to https://oia2jeijtfmt053ynp686t5riioac00p.oastify.com/testbydext. The destination is a Burp Suite Collaborator out-of-band interaction subdomain controlled by the attacker. The package has no legitimate functionality — index.js contains only the exfiltration payload, and package.json carries empty author/description fields under a scope (@webapp-next) that resembles a legitimate namespace, consistent with a dependency-confusion lure.\n","modified":"2026-05-15T07:52:27.858776Z","published":"2026-05-14T19:25:34Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-15T07:37:20.027681785Z","id":"IN-MAL-2026-002798","sha256":"caf033fac1ae50b98e1a222c76831e7012e140234a28dd7e8d0a41a55cf388f7","modified_time":"2026-05-15T02:51:07Z","versions":["91.1.0"]},{"source":"amazon-inspector","import_time":"2026-05-15T07:37:18.661452149Z","id":"IN-MAL-2026-002735","sha256":"cbad3803cdda40845fe2aa64e0963b9293f9ee523b3f9205a354da2ae1e317bf","modified_time":"2026-05-14T19:25:34Z","versions":["91.1.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@webapp-next/store/v/91.1.0"}],"affected":[{"package":{"name":"@webapp-next/store","ecosystem":"npm","purl":"pkg:npm/%40webapp-next/store"},"versions":["91.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@webapp-next/store/MAL-2026-3749.json","indicators":{"package_integrity":[{"filename":"store-91.1.0.tgz","hashes":{"sha512_sri":"sha512-DHkuKgahyrLbuOlwGTkT7OJdRcj0nLvMAvcTvOG09xLYn+eMgGUdrXOrRdnxiahUEgtoTGV7sTdGaKXo4BxlZQ==","sha1":"516f3f665050324eef513a15a26cebb6edbc8a59"}}],"evidence_files":[{"sha256":"5e497bd84896699086b7444a0e8180f761affd89b916fa67093e9dbb4d231558","path":"index.js","tlsh":"c2515fc516f65a251ba7b8494a4f9002b327e0033649ee55bfcc8740af9837c97f0af2"},{"sha256":"0ad68eede34ba2906eb27bc9cbb196c5e58725334360cde0236341ec224ce542","path":"package.json","tlsh":"86d05e385e21653325c50296482b988672a18e2f09047c0877cb582c528e67798fb35c"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}