{"id":"MAL-2026-4537","summary":"Malicious code in cosmosdb-server (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76)\nPackage squats the unscoped name `cosmosdb-server`, targeting users who mistype `npx cosmosdb-server` instead of the scoped `@vercel/cosmosdb-server`. The package.json declares `bin: {\"cosmosdb-server\": \"./index.js\"}` and self-describes as a 'bin-mismatch PoC' for the Vercel package. When invoked (via `npx`, `bin` execution, or `require()`), index.js collects `os.hostname()`, `process.cwd()`, `process.platform`, `process.arch`, and a timestamp and POSTs them to a hardcoded endpoint at `https://callback-monitor.cyb3rsh4ykh.workers.dev/c`, controlled by the package author. The 'security research / responsible disclosure' framing in the description does not constitute installer consent — the package is published live on the public registry under a name designed to capture mistyped invocations, and victims have no opportunity to opt out before their host identity and working-directory path are exfiltrated. Combination of (a) ≤2-edit name confusion against a scoped Vercel package, (b) hardcoded attacker-controlled exfil endpoint, and (c) immediate-on-execution data collection meets the typosquat-with-installer-harm threshold.\n","modified":"2026-05-26T06:02:24.726334909Z","published":"2026-05-23T15:32:58Z","database_specific":{"malicious-packages-origins":[{"sha256":"925077d4c86616920b1ad20f2342df7473d9504764582235049e78eed9189a76","modified_time":"2026-05-23T15:32:58Z","import_time":"2026-05-26T05:52:25.316264978Z","id":"IN-MAL-2026-004347","versions":["0.0.1"],"source":"amazon-inspector"},{"import_time":"2026-05-26T05:52:26.798984862Z","modified_time":"2026-05-23T16:12:29Z","source":"amazon-inspector","id":"IN-MAL-2026-004359","versions":["0.0.2"],"sha256":"bd70e10e2c7d65e7513de4b24cf12a84b72c2b9bc60c308193d16e556579cbc8"},{"sha256":"92604ddb032b222715131556ae2bd43c107849724e592697f99782131d461e0c","modified_time":"2026-05-23T16:12:19Z","import_time":"2026-05-26T05:52:26.669356548Z","id":"IN-MAL-2026-004358","versions":["0.0.2"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cosmosdb-server/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cosmosdb-server/v/0.0.2"}],"affected":[{"package":{"name":"cosmosdb-server","ecosystem":"npm","purl":"pkg:npm/cosmosdb-server"},"versions":["0.0.1","0.0.2"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"5421d0d192da62252ae5adc070b33e4ba397c534f702a451668501e56ff98b8cc912cb","sha256":"f9bfe1d95b9d03bce089fa359d667f50c26e152716ef66b1e7ec041c82dabe62","path":"index.js"},{"tlsh":"b6e026336414c22b69e815981c302a9a7e248b521344790c035b8309e29cab182b8359","sha256":"e34d03f70361706f92abdb54a351b19f7e590bdcc66969b516de088e9727bb00","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"fb01c47a48f091401ea19d86b9b772665f1b0cfd","sha512_sri":"sha512-rhcCK9+hYuGF5+9xwGW5rNeFNbsc0sODUZjX9X78A61ZrbBZGLJgSZCdcOfiHwbbhQm0QhY5SC/u1Av2/F4fNQ=="},"filename":"cosmosdb-server-0.0.1.tgz"}],"domains":["callback-monitor.cyb3rsh4ykh.workers.dev"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cosmosdb-server/MAL-2026-4537.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}