{"id":"MAL-2026-4629","summary":"Malicious code in openmct-couch-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28)\nOn `npm install`, the package's `preinstall` script runs `node index.js` and then `curl`s the output of `hostname && whoami` to `http://8irluql1d21jmq8tr5n5fyoxjopfdd12.oastify.com/nasa/couchrestore/` over plain HTTP. The bundled `index.js` additionally reads `/etc/passwd`, captures `whoami`/`id`, `os.hostname()`, `os.platform()`, `os.userInfo().username`, the current working directory, and the first 30 entries of `process.env`, then HTTPS-POSTs the JSON payload to a second hardcoded Burp Collaborator host (`3nrgzlqwix6erldow0s0kttsojuai36s.oastify.com`). Both endpoints are oastify.com out-of-band-application-security-testing infrastructure used for blind data exfiltration. The package name impersonates NASA's openmct ecosystem (the exfil path `/nasa/couchrestore/` reinforces the lure), the package description falsely claims to be an AWS CDK SageMaker workflow, and the README contains the string 'Takeover By l0bo'. Installer harm is unconditional and fires before any user code runs.\n","modified":"2026-05-26T06:02:45.182471350Z","published":"2026-05-22T17:25:36Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"source":"amazon-inspector","sha256":"3c1380885956f163ad3cb8a1d2cf1221fa8bcb39aa2bdf7dcc3df83ab5ce8056","import_time":"2026-05-26T05:52:12.204194858Z","modified_time":"2026-05-22T17:25:36Z","id":"IN-MAL-2026-004232"},{"versions":["1.0.2"],"source":"amazon-inspector","sha256":"4f246b80cd72ab384a5270f974631d20ebddac7ccac137434102dfdbfd0ea9db","import_time":"2026-05-26T05:52:12.516853886Z","modified_time":"2026-05-22T17:37:49Z","id":"IN-MAL-2026-004235"},{"versions":["1.0.1"],"source":"amazon-inspector","sha256":"ce8eff366d17efa64bf8605941d009d01cf7a24aaf011af30faec449fc4a2e28","import_time":"2026-05-26T05:52:12.419917902Z","modified_time":"2026-05-22T17:36:36Z","id":"IN-MAL-2026-004234"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/openmct-couch-plugin/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openmct-couch-plugin/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openmct-couch-plugin/v/1.0.1"}],"affected":[{"package":{"name":"openmct-couch-plugin","ecosystem":"npm","purl":"pkg:npm/openmct-couch-plugin"},"versions":["1.0.0","1.0.2","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openmct-couch-plugin/MAL-2026-4629.json","indicators":{"evidence_files":[{"tlsh":"e0411d9424f9953476f36d81b18359237b63f7023806f5a0badc03895bc9be45172ab9","sha256":"790c447c7022ed1e593905586aaa25f8e364fbde839816bc246e13ff22db22f0","path":"index.js"},{"tlsh":"21e0d12849b493b311d406e4e8fd459665615d174176bc6823c3d01c87cdea348be688","sha256":"9bb658fbdb3ea6e9cfe5b3a917364e6005db35bd202c310c49e9b60f19b07539","path":"package.json"}],"package_integrity":[{"filename":"openmct-couch-plugin-1.0.0.tgz","hashes":{"sha1":"9b39fbf63fbaddf416d3879e3e6eb999458adf11","sha512_sri":"sha512-F2cZDhJTBK+g7lpQOeYbY++42KZpgSOlqGa2R7khEOwHOyW/5ATW1kiJv8O3Wm5qI6K6+VxvbjVfmZlioJGQqg=="}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}