{"id":"MAL-2026-4389","summary":"Malicious code in @flipbit2-bb/test-auth-state (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63)\nOn `npm install`, a postinstall script (phone-home.js) collects os.hostname(), os.userInfo().username, process.platform + os.release(), a timestamp, and a package label, then issues an HTTPS GET to https://webhook.site/a536b433-b440-43ec-8399-26059196216e. The package is published under @flipbit2-bb/test-auth-state but the bundled tarball, README, and the phone-home payload's `v` field all identify as `@atlassiansox/cross-flow-support@99.99.99` — a dependency-confusion targeting of Atlassian's internal scope, with version 99.99.99 chosen to win internal-vs-public resolution. Any installer who pulls this package — not just the intended target — leaks host identifiers to the author's webhook.site endpoint. The package has no other functionality.\n","modified":"2026-05-26T06:01:48.992056916Z","published":"2026-05-20T02:09:32Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:33.781123824Z","source":"amazon-inspector","sha256":"52ba26e89d1aca1f10772bf4cc8c9b23a436a39a8442fdf4ba9abf6c4c890e63","id":"IN-MAL-2026-003395","versions":["0.0.2"],"modified_time":"2026-05-20T02:09:32Z"},{"id":"IN-MAL-2026-003396","source":"amazon-inspector","sha256":"f5b20d9f984339db71670891222b3ac823f16fc30dca773e09a111b0b3fed8fa","import_time":"2026-05-26T05:50:33.877725996Z","versions":["0.0.2"],"modified_time":"2026-05-20T02:09:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@flipbit2-bb/test-auth-state/v/0.0.2"}],"affected":[{"package":{"name":"@flipbit2-bb/test-auth-state","ecosystem":"npm","purl":"pkg:npm/%40flipbit2-bb%2Ftest-auth-state"},"versions":["0.0.2"],"database_specific":{"indicators":{"package_integrity":[{"filename":"test-auth-state-0.0.2.tgz","hashes":{"sha1":"736404baf3cc2a4f9cf3c123b5cb1437abfbd233","sha512_sri":"sha512-CcKRZ1NHRpXpnskD6XW8u/Ym+obsnzW6WT6LoPtiJNQfLNg9D2/K9eOKem233X06SSE0dlwgn9sS/wgFt6BoGw=="}}],"domains":["webhook.site"],"evidence_files":[{"path":"phone-home.js","sha256":"bb3a363aaff81a01b9609fee2a357f03d77cc3fc256eda6305c3bbd5bb1a76da","tlsh":"230156e437f59578149d50d0b7663f0be257e6083149f4d0ecad538482c50f026b1676"},{"path":"package.json","sha256":"89c061e3c0ac9f28052f0e03e7346c2e76ad001c0ec62272dde1bea533bb069c","tlsh":"c5f08128a614073725c9571829667513b12dceeb130ddc0423d71204039e7f7473a18d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@flipbit2-bb/test-auth-state/MAL-2026-4389.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}