{"id":"MAL-2026-4193","summary":"Malicious code in private-next-pages (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (00c6505c70734328f859fa758ad45ba680403a4cfeedd60d2f9e035b026bd45c)\npackage.json declares a postinstall script that uses Node's child_process to execute reconnaissance commands (including `whoami`) and beacon results out via HTTPS. The script contacts https://api.ipify.org to resolve the installer's public IP, reads process.env, and sends data to an `.oast.fun` host — the Project Discovery `interact.sh` out-of-band testing service used as a generic exfiltration sink. On `npm install`, this fires automatically and leaks host identity, network egress IP, and environment variables to an attacker-controlled collector. There is no legitimate reason for a Next.js page utility package to perform host fingerprinting or beacon to an OOB interaction service at install time.\n\n## Source: ossf-package-analysis (ff710fe6d7fd45d98e33a811da127f892b543f920fe244e16f56e71db66c3ebf)\nThe OpenSSF Package Analysis project identified 'private-next-pages' @ 9.0.5 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:39.612313135Z","published":"2026-05-20T18:14:49Z","database_specific":{"malicious-packages-origins":[{"sha256":"ff710fe6d7fd45d98e33a811da127f892b543f920fe244e16f56e71db66c3ebf","versions":["9.0.5"],"modified_time":"2026-05-20T18:14:49Z","source":"ossf-package-analysis","import_time":"2026-05-20T18:18:23.063948299Z"},{"sha256":"00c6505c70734328f859fa758ad45ba680403a4cfeedd60d2f9e035b026bd45c","versions":["9.0.5"],"modified_time":"2026-05-20T23:51:16Z","id":"IN-MAL-2026-003650","source":"amazon-inspector","import_time":"2026-05-26T05:51:02.606227244Z"},{"sha256":"7bb63ecb31a75e0d7668aad050547f7c02319ad7f241a2a1df244a55330337f5","versions":["9.0.5"],"modified_time":"2026-05-20T23:51:16Z","id":"IN-MAL-2026-003651","source":"amazon-inspector","import_time":"2026-05-26T05:51:02.727832173Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/private-next-pages/v/9.0.5"}],"affected":[{"package":{"name":"private-next-pages","ecosystem":"npm","purl":"pkg:npm/private-next-pages"},"versions":["9.0.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"private-next-pages-9.0.5.tgz","hashes":{"sha512_sri":"sha512-9J8R+yct4SeOv6S1NQSIW4bg0Ui19s9CuKrcQpc7ZbannbGqobVOtSEFafiXxeviJ2vI/9ZfQ0a2z4e28RTQlw==","sha1":"85d2bd4109543aee679959487cf8de32d7950a73"}}],"domains":["api.ipify.org","lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun"],"evidence_files":[{"sha256":"91fd93f8b0aa352c33d393c6b7592dd78ef9d62eca453bcb44cfe8f39fdd0ca3","tlsh":"781165e099c0e6b9e3d147f4b907d506f933eb1a62105cb0b96c16829b441b052abfdc","path":"package.json"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/private-next-pages/MAL-2026-4193.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}