{"id":"MAL-2026-4535","summary":"Malicious code in configcat-trello-powerup (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b)\npackage.json declares `\"preinstall\": \"node index.js\"`, which fires automatically on `npm install`. index.js collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers) and reads sensitive system files (/etc/passwd, /etc/hosts) plus package metadata, then HTTPS POSTs the bundle to a hardcoded Burp Collaborator subdomain `hzklpyrf8gdhgtycz16veroqihobc10q.oastify.com`. The package ships no real functionality — empty description, empty author, and a name resembling a plausible internal Trello/ConfigCat integration — fingerprint of a dependency-confusion squat whose only purpose is to beacon installer-side data to the attacker for follow-on targeting.\n","modified":"2026-05-26T06:02:23.032527412Z","published":"2026-05-21T20:42:44Z","database_specific":{"malicious-packages-origins":[{"sha256":"408ece81736dc366c6b5bbe4bb43186d622df67d9c0b675ace108f1b74439a08","versions":["1.0.0"],"modified_time":"2026-05-21T20:42:45Z","import_time":"2026-05-26T05:51:47.124944843Z","id":"IN-MAL-2026-004021","source":"amazon-inspector"},{"sha256":"5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b","versions":["1.0.0"],"modified_time":"2026-05-21T20:42:44Z","import_time":"2026-05-26T05:51:47.000707196Z","id":"IN-MAL-2026-004020","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/configcat-trello-powerup/v/1.0.0"}],"affected":[{"package":{"name":"configcat-trello-powerup","ecosystem":"npm","purl":"pkg:npm/configcat-trello-powerup"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"configcat-trello-powerup-1.0.0.tgz","hashes":{"sha1":"c0577625311533f87eea15b524de2339424c41d8","sha512_sri":"sha512-H1GyUfahI3l7R2U4XWyLsnn0ntVOpamUguGgaPf0A4bCg7nDoWR/N4ZAFuZQyMoRZj/QksyR4Nrg4tQ0r6tmxQ=="}}],"evidence_files":[{"sha256":"47ea228c1e6b0bc159ec4969626ee46225f34bf28d1b67ace3f1490edec744c7","tlsh":"20412595a2c917330dd110c0aa0c70843359fa777259a99076cf42979f869f8b7326f3","path":"index.js"},{"sha256":"561b5f240097ab83193579f01bf82891f9a422539f3593a62170a96ed23c2e0a","tlsh":"98d0a7344d22553325c506a64c2b945776718f6f05143c0863cb583c91de6b798ff34d","path":"package.json"}],"domains":["hzklpyrf8gdhgtycz16veroqihobc10q.oastify.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configcat-trello-powerup/MAL-2026-4535.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}