{"id":"MAL-2026-4614","summary":"Malicious code in moneykit-cardano-demo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e)\npackage.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identifiers and OS files — `os.hostname()`, `os.userInfo().username`, home directory, DNS servers, `/etc/passwd`, `/etc/hosts`, and the consumer's full package.json — and HTTPS-POSTs the JSON payload to `bixf8sa9rawbznh6ivppxl7k1b72vtji.oastify.com`, a Burp Collaborator subdomain. The package ships no functionality matching its name; metadata is empty (no author, description, or license). The name `moneykit-cardano-demo` resembles an internal/private namespace and is consistent with a dependency-confusion reconnaissance package targeting an organization's internal scope. Installer harm: every `npm install` of this package leaks host identity, the local user account, OS-level files (`/etc/passwd`, `/etc/hosts`), and the consumer project's package.json contents to the attacker, providing target identification and the foothold data needed for follow-on attacks.\n","modified":"2026-05-26T06:02:42.971663378Z","published":"2026-05-21T19:19:36Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T19:19:36Z","sha256":"e6186e5ec8b6cea4f1cec3b4284cf09f2e317dd7d745fb5f88e15b355497d08e","import_time":"2026-05-26T05:51:44.309428Z","id":"IN-MAL-2026-003998","source":"amazon-inspector","versions":["1.1.0"]},{"modified_time":"2026-05-21T19:19:36Z","sha256":"f81e8eff0e7705526162dee2bf6cd4d92c29250434a706de54e3381cc405bacf","import_time":"2026-05-26T05:51:44.483049443Z","id":"IN-MAL-2026-003999","source":"amazon-inspector","versions":["1.1.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/moneykit-cardano-demo/v/1.1.0"}],"affected":[{"package":{"name":"moneykit-cardano-demo","ecosystem":"npm","purl":"pkg:npm/moneykit-cardano-demo"},"versions":["1.1.0"],"database_specific":{"indicators":{"domains":["bixf8sa9rawbznh6ivppxl7k1b72vtji.oastify.com"],"evidence_files":[{"sha256":"ac995929995fb8c81e19121444b5b5d6ef240645ac9435ab113776ebc6c0d61a","path":"index.js","tlsh":"6c412399a2c917330de210c06a0c70852359fa777169e8d076cf4296af869f8b7326f3"},{"sha256":"4337b8999b604889dc97e99ee6efd2bb327c0b9b9fbebb2365bc6d4cdbd663f0","path":"package.json","tlsh":"92d05e204e21657365c606a2482aa597a2618e2f05043c0867cb282c82dea77a8fa34d"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-qGv10hq/LrvcTEYqPeyYkxrUKZwMzZMkHhCgmhv7ZkofkVeTPOonxNucR9FWdO589ut6O7b0FzYLD8HshAgF6Q==","sha1":"ed1e093fffb64f5e2a3d1ef52b03ddc786cd6a39"},"filename":"moneykit-cardano-demo-1.1.0.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/moneykit-cardano-demo/MAL-2026-4614.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}