{"id":"MAL-2026-4530","summary":"Malicious code in cloudsmith-vsc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f)\npackage.json declares a preinstall hook (`\"preinstall\": \"node index.js\"`) that runs automatically on `npm install`. index.js reads installer-side system identity and files — `os.hostname()`, `os.userInfo()`, homedir, DNS configuration, package metadata, `/etc/passwd`, and `/etc/hosts` — and POSTs them over HTTPS to a hardcoded Burp Collaborator subdomain (`6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com`). The package metadata is empty (no description, author, or license) and the name impersonates the Cloudsmith vendor brand, consistent with a dependency-confusion / typosquat recon-and-exfil payload. Any machine that installs this package transmits host fingerprinting and local account data to the attacker.\n","modified":"2026-05-26T06:02:23.149815690Z","published":"2026-05-21T20:18:50Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T20:18:50Z","source":"amazon-inspector","sha256":"2b49ad4432747f754181e7a8428aff5fd2613f9d86283f05a04c2dd1f9ac2f2f","import_time":"2026-05-26T05:51:46.301697711Z","id":"IN-MAL-2026-004014","versions":["2.1.2"]},{"modified_time":"2026-05-21T20:18:50Z","source":"amazon-inspector","sha256":"b426dccab89457fd791a8fd83473fe7afa862d2e532c41b1fd635bb251e5c830","import_time":"2026-05-26T05:51:46.418503203Z","id":"IN-MAL-2026-004015","versions":["2.1.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cloudsmith-vsc/v/2.1.2"}],"affected":[{"package":{"name":"cloudsmith-vsc","ecosystem":"npm","purl":"pkg:npm/cloudsmith-vsc"},"versions":["2.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudsmith-vsc/MAL-2026-4530.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"36412395a2c917330de250c06a0c70842359fa777169e8d076cf42d6af869f8bb726f3","sha256":"90a1bfca0b7c5f70251dcb2a80f5be735ee867b0423d74de994de7dc6c895a30","path":"index.js"},{"path":"package.json","sha256":"6cb0e7edb6061c94dd2db1047811b2963f309cc734912b4a315588eaffb58b49","tlsh":"00d05e244e21663365c502a60c2b944a62a18f2b05043c08638b182c919e677a8fb31d"}],"domains":["6hoa7n94q5v6yig1hqokwg6f066zupie.oastify.com"],"package_integrity":[{"filename":"cloudsmith-vsc-2.1.2.tgz","hashes":{"sha512_sri":"sha512-Z/tEK9ouOUj4aZJWBdhQNKMetFQbhDHRZYKNEv+W7g7SONLNZhiCeOxBvIUsv9yY5gZv8QKCo0FpV4p8+QlVTw==","sha1":"183b643957e6888802a34a88a046be57cf31e36d"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}