{"id":"MAL-2026-4177","summary":"Malicious code in did-0091 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a50f30be232b343bc9dff677d6c208f16fff861009dccc9f76409d37264205b)\nOn `npm install`, the package's postinstall script runs `node -e` to fetch the installer's public IP from api.ipify.org, execute `id || ver && whoami && hostname`, and collect hostname, cwd, and USERDOMAIN/COMPANY environment variables. The bundle is POSTed to a hardcoded interactsh subdomain at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun. The package has no legitimate function: description is 'xxx', main file index.js is 0 bytes, and the only behavior is the install-time beacon. Combined with the unusual name shape, this matches dependency-confusion reconnaissance campaigns that probe corporate networks via Project Discovery's interactsh out-of-band service.\n\n## Source: ossf-package-analysis (80bf373136eb0315910e5ba3fa9097db2cd7efe316d1defbb9b8b78f8ab8506b)\nThe OpenSSF Package Analysis project identified 'did-0091' @ 11.0.6 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:30.311983482Z","published":"2026-05-19T21:55:34Z","database_specific":{"malicious-packages-origins":[{"versions":["11.0.6"],"sha256":"80bf373136eb0315910e5ba3fa9097db2cd7efe316d1defbb9b8b78f8ab8506b","import_time":"2026-05-19T22:31:46.292691196Z","modified_time":"2026-05-19T22:21:26Z","source":"ossf-package-analysis"},{"versions":["11.0.5"],"sha256":"f4b594d2a20934ded84a88099ffbd32867a902111b6913b26b1c2edbfd29dc46","import_time":"2026-05-19T22:31:46.18393195Z","source":"ossf-package-analysis","modified_time":"2026-05-19T21:55:34Z"},{"versions":["11.0.9"],"sha256":"61d58ac7c207990da6528f69910d6bcc50078056c4ae1d0ce7f7542be02f0e28","import_time":"2026-05-19T23:29:27.589421438Z","modified_time":"2026-05-19T22:50:37Z","source":"ossf-package-analysis"},{"versions":["11.1.8"],"sha256":"8eb7cf1f3e910dc7e57fe63cb4cd817aa0a8491e9b1ad2749aef5d3695cc12ad","import_time":"2026-05-19T23:29:27.517807089Z","modified_time":"2026-05-19T22:35:37Z","source":"ossf-package-analysis"},{"versions":["11.2.8"],"sha256":"a3f3feaec2f78aa66653b8f6a2238f6dcb839a7a55bb4660f557f0666574a40f","import_time":"2026-05-20T15:47:05.41506521Z","source":"ossf-package-analysis","modified_time":"2026-05-20T14:46:36Z"},{"versions":["11.2.8"],"id":"IN-MAL-2026-003572","sha256":"1a50f30be232b343bc9dff677d6c208f16fff861009dccc9f76409d37264205b","import_time":"2026-05-26T05:50:52.979664301Z","modified_time":"2026-05-20T14:40:35Z","source":"amazon-inspector"},{"versions":["11.2.8"],"id":"IN-MAL-2026-003573","sha256":"4bfd8cc600f24af5afeb4a132a1c75dc41423a80c4f6817543b09a8fb2876ed8","import_time":"2026-05-26T05:50:53.091879503Z","modified_time":"2026-05-20T14:40:36Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/did-0091/v/11.2.8"}],"affected":[{"package":{"name":"did-0091","ecosystem":"npm","purl":"pkg:npm/did-0091"},"versions":["11.0.6","11.0.5","11.0.9","11.1.8","11.2.8"],"database_specific":{"indicators":{"package_integrity":[{"filename":"did-0091-11.2.8.tgz","hashes":{"sha512_sri":"sha512-rBl+S66mzzBxHPAPp6KMFL1EDbLvtNWGGrrL1fOjrrndtcfJEii7RdZ0coGlROutP1le2sn2u29LVhvxuTLJqA==","sha1":"e849fe14ec698c4665af7b2925d42f71887f2593"}}],"domains":["api.ipify.org","lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun"],"evidence_files":[{"path":"package.json","sha256":"1f1e2833a009baed24c5dc5c76a9cfe463a4317b9af4b83ef6e73ce1e700719d","tlsh":"1e1154f0a9d0e6b9b7c143f57946d805e973fa0661005cb09d5c2b828f8927066b7eec"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/did-0091/MAL-2026-4177.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}