{"id":"MAL-2026-4586","summary":"Malicious code in intl-ad-routing (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (07b57475540583a4a2af3fb2d790f066c2e77742a704b3e5048c118f82cc8185)\nintl-ad-routing@99.0.1 is a dependency-confusion squat targeting an internal `@livingdesign/react` namespace. On `npm install`, the package's `preinstall` hook (poc.js) executes shell commands to enumerate the installer's environment (`ipconfig /all` on Windows, `ip a && cat /etc/resolv.conf` on Linux) and collects hostname, username, install directory, network interfaces, the full list of `process.env` keys, and every `npm_*` environment variable (which can include npm registry auth tokens / `_authToken` values). The collected JSON is POSTed over HTTPS to `d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me` (an interactsh out-of-band collector), and a DNS callback encoding hostname+username is also issued. The package's own description states it is a 'Dependency Confusion PoC' for a bug-bounty program, but the lifecycle code runs on any installer that resolves this public version in place of the intended private package — without the installer's consent — and ships their host identifiers and potentially registry credentials to a third-party collector.\n","modified":"2026-05-26T06:02:37.480881703Z","published":"2026-05-25T13:57:52Z","database_specific":{"malicious-packages-origins":[{"versions":["99.0.1"],"sha256":"07b57475540583a4a2af3fb2d790f066c2e77742a704b3e5048c118f82cc8185","modified_time":"2026-05-25T14:04:58Z","source":"amazon-inspector","import_time":"2026-05-26T05:53:03.642944997Z","id":"IN-MAL-2026-004672"},{"versions":["99.0.2"],"sha256":"10e3837ff1f1720b66da6fe03dcf8d5ab32177c318e5375fc88d990978001d8e","modified_time":"2026-05-25T14:10:44Z","source":"amazon-inspector","import_time":"2026-05-26T05:53:04.565801989Z","id":"IN-MAL-2026-004680"},{"import_time":"2026-05-26T05:53:04.671191569Z","sha256":"20e767fa3d23bb55ceda90b4d34559854342e89c669b04fe66a66efa489d7ffc","modified_time":"2026-05-25T14:10:45Z","versions":["99.0.2"],"source":"amazon-inspector","id":"IN-MAL-2026-004681"},{"versions":["99.0.0"],"sha256":"2d3ae341070180b53327ce5da456cb167f93f03a5e37af73afb1401155b7b473","modified_time":"2026-05-25T13:57:52Z","source":"amazon-inspector","import_time":"2026-05-26T05:53:02.281095859Z","id":"IN-MAL-2026-004659"},{"import_time":"2026-05-26T05:53:02.367833344Z","sha256":"b5c85be0b31f62e2f721e9a0f515ca51c7d50d2e7e730796d6d9a1eca0552dff","modified_time":"2026-05-25T13:57:53Z","versions":["99.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-004660"},{"import_time":"2026-05-26T05:53:03.730290898Z","sha256":"efd808c6bb76d832791595474b8fa55fd98cfe51def0c027e66e7d2f16b5ee57","modified_time":"2026-05-25T14:04:58Z","versions":["99.0.1"],"source":"amazon-inspector","id":"IN-MAL-2026-004673"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/intl-ad-routing/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/intl-ad-routing/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/intl-ad-routing/v/99.0.0"}],"affected":[{"package":{"name":"intl-ad-routing","ecosystem":"npm","purl":"pkg:npm/intl-ad-routing"},"versions":["99.0.1","99.0.2","99.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/intl-ad-routing/MAL-2026-4586.json","indicators":{"evidence_files":[{"path":"poc.js","sha256":"070584fedb3235d6c303ea8528830adb4416e67237d35f20282bc389e917f234","tlsh":"493165d615f9647036b6fac0b0d6ad515367e333b54af8e42588098172cf9f181f52e4"},{"path":"package.json","sha256":"575c59aeb9755bf8f3fe78360ee95d3b9796389495d9e2c6e6337c7b01219522","tlsh":"01e07d781410102317d8c7fa15f64847a12cce0b11086c1a0f6334cc92eeba3417eb9d"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-gjl2nHZtvzDd83BHTvynm08CQLyLCTYf8l8Ff9jhIzSaJgupC7PD1CNVAxjIZh38FxyNqu3C3nQkLR1GG/oHig==","sha1":"71809daf2a7b7e79e314fe44c6be41e8b46bd4a1"},"filename":"intl-ad-routing-99.0.1.tgz"}],"domains":["intl-ad-routing-7363616e2d34313036666434656337.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me","d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}