{"id":"MAL-2026-4263","summary":"Malicious code in secdriven (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e64bd0b65a5cddc6e2032cfdd0a23f06c980a25066490b223d07e1b2e4efe3d8)\nOn `npm install`, postinstall.js executes `whoami` via child_process and reads os.hostname(), os.platform(), the working directory, and CI / GITHUB_REPOSITORY environment variables, then transmits them as query-string parameters in an HTTPS GET to a hardcoded interactsh subdomain (`lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com`) under the path `/google/secdriven/`. A DNS lookup using `whoami` output as a subdomain provides a fallback exfiltration channel. The package description (\"Security research canary — Google\") and README pointing at a Google CTF internal package.json indicate this is a dependency-confusion payload targeting Google's internal namespace; any installer whose resolver picks up this public name leaks host identity, username, working directory, and CI repository path to the third-party OOB-detection endpoint without consent. Whether published as research or attack, the installer-side effect is the same: unconsented identity-and-environment beacon at install time.\n\n## Source: ossf-package-analysis (bafef125d75ec1f8f8b4d9c19e43da29dc8efccecdab347c19a74d1602433535)\nThe OpenSSF Package Analysis project identified 'secdriven' @ 1.0.8 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:53.980130147Z","published":"2026-05-23T06:25:32Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.8"],"sha256":"bafef125d75ec1f8f8b4d9c19e43da29dc8efccecdab347c19a74d1602433535","import_time":"2026-05-23T07:22:21.103579867Z","source":"ossf-package-analysis","modified_time":"2026-05-23T07:15:46Z"},{"versions":["1.0.8"],"id":"IN-MAL-2026-004294","sha256":"5accf0a7d5ef749122c408d1b78a4585c663d7218ea42bd276d6e0b14ef04e1b","import_time":"2026-05-26T05:52:19.256034723Z","source":"amazon-inspector","modified_time":"2026-05-23T06:32:27Z"},{"versions":["1.0.8"],"id":"IN-MAL-2026-004293","sha256":"5f9fc2c83fd07e30cba7137fce3d4701f5bc1feb9146c396ae939f3acb720643","import_time":"2026-05-26T05:52:19.131920626Z","source":"amazon-inspector","modified_time":"2026-05-23T06:32:27Z"},{"versions":["1.0.1"],"id":"IN-MAL-2026-004291","modified_time":"2026-05-23T06:25:32Z","import_time":"2026-05-26T05:52:18.882063826Z","sha256":"975aa97eecdefbe83b5eab461ef8abe6850de825ce44496cbb351908bc0d51ec","source":"amazon-inspector"},{"versions":["1.0.7"],"id":"IN-MAL-2026-004292","source":"amazon-inspector","import_time":"2026-05-26T05:52:19.014922566Z","modified_time":"2026-05-23T06:30:38Z","sha256":"e64bd0b65a5cddc6e2032cfdd0a23f06c980a25066490b223d07e1b2e4efe3d8"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/secdriven/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/secdriven/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/secdriven/v/1.0.7"}],"affected":[{"package":{"name":"secdriven","ecosystem":"npm","purl":"pkg:npm/secdriven"},"versions":["1.0.8","1.0.1","1.0.7"],"database_specific":{"indicators":{"domains":["scan.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com","lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-sqHArBd2KWVkWHooYwcYg/xnoSGOOJQFi7RMUF9PH4pobZ2A8GlyIiLaPB+YMY2wa8eU0z/pXxTBfiMV5CARhA==","sha1":"ef432b7a76c9c19a9a398a43a8cb7ebc4d63b0f0"},"filename":"secdriven-1.0.8.tgz"}],"evidence_files":[{"path":"postinstall.js","tlsh":"770120f123f0e6f058e24dc0e62598177167e0103341a9e07dac82696f89a7844b2cec","sha256":"b45fc29a5ae166c215182f92cd5688d06317cd099779b4694768bd47ce3c59a5"},{"sha256":"9a108b02a118fce0952636cfd3fe3ed15a326916bfe8777a9685c516fbfec04f","tlsh":"e7d022cb32aca7a7ec94efcb6a98d2186b3df810b44220c9f3010083b206c8913830e4","path":"readme.md"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/secdriven/MAL-2026-4263.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}