{"id":"MAL-2026-4258","summary":"Malicious code in @engagehub/core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094)\nAll three lifecycle hooks (preinstall, install, postinstall) in package.json invoke `node telemetry.js`, so the payload fires unconditionally on `npm install`. telemetry.js gathers host context (OS, arch, Node version, pid) and CI-provider fingerprints by reading GITHUB_ACTIONS, AZURE_DEVOPS, and JENKINS_HOME, hex-encodes a JSON blob, and exfiltrates it as chunked `dns.lookup()` queries whose subdomain labels carry the encoded data. The destination is built via string concatenation to evade scanners: `\"d82atu5fokal0459\"+\"5n00qkgj7qiyixx7a\"+\".\"+\"oa\"+\"st\"+\".\"+\"li\"+\"ve\"`, resolving to a token under oast.live — an out-of-band interaction (interactsh) service commonly used by attackers as a covert DNS C2/exfil channel. The package additionally impersonates Microsoft (false `Copyright (c) Microsoft Corporation` header, fabricated `github.com/microsoft/core` repository URL, references to a nonexistent `engdocs.microsoft.com` docs site) under an UNLICENSED license to lend credibility to the dropper. Installing this package on a developer workstation or CI runner leaks host and CI-environment fingerprints to attacker-controlled infrastructure and confirms the package is reachable for follow-on targeting.\n\n## Source: ossf-package-analysis (326b05b76110daa7a72638fd81d726fb2ccb229f93e203e07aa236639b9120fa)\nThe OpenSSF Package Analysis project identified '@engagehub/core' @ 99.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-05-26T06:01:48.310071788Z","published":"2026-05-22T20:02:41Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","versions":["99.0.0"],"modified_time":"2026-05-22T20:05:56Z","sha256":"326b05b76110daa7a72638fd81d726fb2ccb229f93e203e07aa236639b9120fa","import_time":"2026-05-22T20:36:48.234267082Z"},{"source":"amazon-inspector","id":"IN-MAL-2026-004252","versions":["99.0.0"],"modified_time":"2026-05-22T20:02:42Z","sha256":"00d2aa8784139f3335dd28e4b761b1f90459d3ff18f4e531d1f26287b05510be","import_time":"2026-05-26T05:52:14.414325182Z"},{"source":"amazon-inspector","id":"IN-MAL-2026-004251","versions":["99.0.0"],"modified_time":"2026-05-22T20:02:41Z","sha256":"bcc397ed87426726776c339f950939ac2da46c12edd018ed4bc48031f7044094","import_time":"2026-05-26T05:52:14.314767657Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@engagehub/core/v/99.0.0"}],"affected":[{"package":{"name":"@engagehub/core","ecosystem":"npm","purl":"pkg:npm/%40engagehub%2Fcore"},"versions":["99.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@engagehub/core/MAL-2026-4258.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"domains":["k.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p1.227473223a313737393438303134313031312c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p4.77645f68617368223a302c22706964223a33347d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","c.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p2.6c696e7578222c2261726368223a22783634222c2272756e74.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p1.227473223a313737393438303134323530352c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p4.77645f68617368223a302c22706964223a34357d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p0.7b22736368656d61223a312c22626964223a2230303133222c.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p1.227473223a313737393438303133383039322c226f73223a22.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p3.696d65223a227631382e32302e38222c226369223a302c2263.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live","p4.77645f68617368223a302c22706964223a32337d.0013.d82atu5fokal04595n00qkgj7qiyixx7a.oast.live"],"evidence_files":[{"tlsh":"1851c65a6ee820281a62e0b8b51f5503f37993331b24f955e08fc3645fe75b851bcae2","sha256":"61c869a8ad4b842d6c5df56f9fe0d06286fb14a4d075dce87d5a8b6651dc221a","path":"telemetry.js"},{"tlsh":"0a014228de280d272dd12aa299730181a3350d2b09043c083fc2021c8bcea6f52ff32d","sha256":"21b71d8e400486993e1e437aabfc449c342bd90e7cbac74e9c50546b552981a3","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"294235300cccbb57558786500483d81984daf729","sha512_sri":"sha512-UlqAfzQ9kUkpBMMKlyd9OPeRBuBBDxizwrZQ6oB8n2fAB+adcGx7HBzwvKdhWnbh6szEfGwb2o6MraRw5QIpwA=="},"filename":"core-99.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}