{"id":"MAL-2026-4418","summary":"Malicious code in @pluxee-connect/api-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9)\nOn `npm install`, postinstall.js collects `os.hostname()`, `os.userInfo()`, and `process.version` and transmits them over plain HTTP to `716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com` (a Burp Collaborator out-of-band interaction subdomain), with DNS resolution providing a second exfil channel via subdomain encoding. The package itself is a near-empty shell — `index.js` exports only a `ConsentsStatus` enum — and is published at version 99.0.1, far above any plausible legitimate release for the `@pluxee-connect` scope. The structural shape (high-bumped version + trivial functional surface + lifecycle-time OOB beacon to oastify.com) is the canonical dependency-confusion attack against an internal scope. Any developer or CI system that resolves `@pluxee-connect/api-client` from public npm will leak machine identifiers to the attacker.\n","modified":"2026-07-09T09:32:05.872711410Z","published":"2026-05-20T03:57:26Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9","modified_time":"2026-05-20T03:57:26Z","import_time":"2026-05-26T05:50:39.767477875Z","versions":["99.0.1"],"id":"IN-MAL-2026-003448"},{"import_time":"2026-05-26T05:50:39.993445116Z","sha256":"5341a62046be72550e2251f1daefebf8aa8fd5337959f11f22737608594a76df","modified_time":"2026-05-20T03:58:21Z","source":"amazon-inspector","versions":["99.0.0"],"id":"IN-MAL-2026-003450"},{"import_time":"2026-05-26T05:50:39.863581136Z","sha256":"b0338c8fd88c7019dff2cc27c111ec86d5058d80013a0b1912f1202740fd1a64","modified_time":"2026-05-20T03:57:26Z","source":"amazon-inspector","versions":["99.0.1"],"id":"IN-MAL-2026-003449"},{"import_time":"2026-05-26T05:50:40.133834727Z","sha256":"c1ff45fd41f66a6b9354fd1981f206045aaab32760562d6fcf01ba69612d89fb","modified_time":"2026-05-20T03:58:21Z","source":"amazon-inspector","versions":["99.0.0"],"id":"IN-MAL-2026-003451"},{"import_time":"2026-07-09T09:15:58.796982988Z","sha256":"ec1fabbdcb15e2474aae7f0b02d7dc122a7d0a153b5ab59e77091b48ad45a9a8","modified_time":"2026-07-07T12:26:53Z","source":"reversing-labs","versions":["99.0.0","99.0.1"],"id":"RLMA-2026-04769"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@pluxee-connect/api-client/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@pluxee-connect/api-client/v/99.0.0"}],"affected":[{"package":{"name":"@pluxee-connect/api-client","ecosystem":"npm","purl":"pkg:npm/%40pluxee-connect/api-client"},"versions":["99.0.1","99.0.0"],"database_specific":{"indicators":{"domains":["scan-e1ba26a7c847.scan.716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com","716bw4e4k31qif2nc1v658fb62ct0soh.oastify.com"],"package_integrity":[{"filename":"api-client-99.0.1.tgz","hashes":{"sha1":"ad6344ac0dce2a95a42349f110a911d684587a62","sha512_sri":"sha512-cfJNKJ6rBFmR33uNxq+NBHqWieEMhmSP9Vw5XTxE3S3RthwUbHOmHf3ZU6B/AynX1Dh2ai0/CzHW9Y326+BEgQ=="}}],"evidence_files":[{"sha256":"2f025ff9cd5d04b4e0b365e6b7e7750c4e8d26d1872e4a53a704e14057f9046d","path":"postinstall.js","tlsh":"e4016de449e4d63019fa15c8b75b481e50dbe242795bdcc0b8bf42d00f675394660ab8"},{"sha256":"3d4f20f0fcd918c479e33a05b4a9c46d76aa30f91e1aff90c60c689efbe3cecf","path":"package.json","tlsh":"b6d02b208519053324c81754dc774a475bb34e27111c381813c7217c47bd33b58bf25f"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pluxee-connect/api-client/MAL-2026-4418.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}