{"id":"MAL-2026-4479","summary":"Malicious code in anthropic-shared-logger (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e54ef50a83e2f379965286ed404d16ca3389a9ce5c8593718ef4e6f307cc6084)\nThis package impersonates Anthropic's internal namespace and self-describes as 'Full RCE PoC - Alex Birsan Style'. Its package.json declares a postinstall hook that, on every `npm install`, fetches the installer's public IP from api.ipify.org, runs `id || ver && whoami && hostname` via child_process.exec, and POSTs the hostname, current working directory, USERDOMAIN/COMPANY environment variables, IP address, and command output to a hardcoded Interactsh OOB endpoint at lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun over plain HTTP. The combination of namespace impersonation, automatic install-time shell execution, and host reconnaissance exfiltration to attacker-controlled out-of-band infrastructure is a canonical Birsan-style dependency confusion attack. Any build system that mis-resolves this name to the public registry leaks identity and host data to the attacker, enabling targeted follow-on compromise.\n","modified":"2026-05-26T06:02:14.050794507Z","published":"2026-05-21T00:09:42Z","database_specific":{"malicious-packages-origins":[{"sha256":"754f7dc4855ecb1df012814bf5ec92a861958b7af0027d88d0a2cb918793cdce","import_time":"2026-05-26T05:51:03.407406712Z","source":"amazon-inspector","id":"IN-MAL-2026-003657","versions":["8.0.5"],"modified_time":"2026-05-21T00:09:42Z"},{"sha256":"e54ef50a83e2f379965286ed404d16ca3389a9ce5c8593718ef4e6f307cc6084","import_time":"2026-05-26T05:51:03.295053925Z","source":"amazon-inspector","id":"IN-MAL-2026-003656","versions":["8.0.5"],"modified_time":"2026-05-21T00:09:42Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/anthropic-shared-logger/v/8.0.5"}],"affected":[{"package":{"name":"anthropic-shared-logger","ecosystem":"npm","purl":"pkg:npm/anthropic-shared-logger"},"versions":["8.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/anthropic-shared-logger/MAL-2026-4479.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"domains":["api.ipify.org"],"evidence_files":[{"tlsh":"8b1179f0dac4d5b9a3d107f97d43d501fd23e75911105cb0e96c16414b45170259be9c","sha256":"c5ee2909d9b5fd81e5446da44cb585c48d5d0847c88622a2e13e9a15894df7ea","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-qd0sKM/4kBkd83Ne7r8kz0CwuiO+awnOeF1bWE+MHBnxJYNsny6ImoFvvaw7YtQF3nVAL05PrHKisfKRXtTRgA==","sha1":"42ac708d3461fe7c7e6b03558034a794f4cc49d3"},"filename":"anthropic-shared-logger-8.0.5.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}