{"id":"MAL-2026-4185","summary":"Malicious code in uolcs-host-uol-anuncios-fe (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (16d9407c815fe2d5593da029ee806d455d15f451d1c84d3cd8d6a0a027821d64)\nPackage claims an internal-scope corporate name (`uolcs-host-uol-anuncios-fe`) on public npm, version-pinned to 99.99.99 — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name in a target organization's CI. Both `preinstall` and `postinstall` hooks in package.json invoke `node./callback.js`, which reads `os.hostname()` and `os.platform()`, embeds them as a subdomain label (`uolci-\u003chostname\u003e-\u003cplatform\u003e.d86r3dv5vn81lvohffp0131g8kdx9mz3c.oast.pro`), and issues a DNS A lookup. The destination `oast.pro` is the interactsh out-of-band interaction listener; the DNS query itself is the exfiltration channel, capturing the installer's hostname and OS at the listener owned by whoever controls that token. The README's claim of authorized research is not verifiable from package contents and does not change the installer-side effect: any CI host or developer machine that resolves this name from public npm leaks identity to a third party on `npm install`.\n\n## Source: ossf-package-analysis (460c859985a6f675c559fa18b353ab35f370e5f1f60c9da53275358a1fdbaa29)\nThe OpenSSF Package Analysis project identified 'uolcs-host-uol-anuncios-fe' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-26T06:03:00.620408646Z","published":"2026-05-20T16:06:01Z","database_specific":{"malicious-packages-origins":[{"versions":["99.99.99"],"source":"ossf-package-analysis","sha256":"460c859985a6f675c559fa18b353ab35f370e5f1f60c9da53275358a1fdbaa29","import_time":"2026-05-20T17:09:24.656933892Z","modified_time":"2026-05-20T16:06:01Z"},{"versions":["99.99.99"],"id":"IN-MAL-2026-003648","sha256":"16d9407c815fe2d5593da029ee806d455d15f451d1c84d3cd8d6a0a027821d64","import_time":"2026-05-26T05:51:02.113855996Z","modified_time":"2026-05-20T23:01:10Z","source":"amazon-inspector"},{"versions":["99.99.99"],"source":"amazon-inspector","sha256":"e68507a976e11c8ed1ed5ff82bbb1f322f86fd89b7700c8ffc05207bc72266db","import_time":"2026-05-26T05:51:02.479612112Z","modified_time":"2026-05-20T23:01:11Z","id":"IN-MAL-2026-003649"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/uolcs-host-uol-anuncios-fe/v/99.99.99"}],"affected":[{"package":{"name":"uolcs-host-uol-anuncios-fe","ecosystem":"npm","purl":"pkg:npm/uolcs-host-uol-anuncios-fe"},"versions":["99.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uolcs-host-uol-anuncios-fe/MAL-2026-4185.json","indicators":{"evidence_files":[{"tlsh":"ef012034ca0a4d231ce066a324187987f411cd0709183c1637c3014c5f1da7702bf29e","sha256":"bb502812684c6ae5ad7753b8e539b45f4ffeb0af7d58337f621a9f12756a041c","path":"package.json"},{"tlsh":"d051754526e922301fa150929ccc26c2672fd729526ef990a54d479c428677063577bf","sha256":"9995eda9986246d14944e74196fde1f8c5ce9568721eb9cff63795ec59c456cd","path":"callback.js"}],"domains":["uolci-scan-cd1e5927b0c3-linux.d86r3dv5vn81lvohffp0131g8kdx9mz3c.oast.pro"],"package_integrity":[{"hashes":{"sha1":"4b3426ce48b114b221171e8fc17641508bd7067a","sha512_sri":"sha512-r/dOYxLrsPWRgErwx4lpP24dkex6fTTdKNKvUetVPH0iPz7WwlsHu/Vz0yAEcy/Zfw2F7oVPA/0FeiIKtTX+lw=="},"filename":"uolcs-host-uol-anuncios-fe-99.99.99.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}