{"id":"MAL-2026-4633","summary":"Malicious code in osep-api-hub-service-client-v1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76)\npackage.json declares `\"preinstall\": \"node index.js\"`, causing index.js to run automatically on `npm install`. index.js collects host identifiers — `os.hostname()`, `os.userInfo()` (username/uid/gid/shell), `os.homedir()`, `process.platform`, `process.arch`, `process.cwd()` — and additionally shells out via `child_process` to `whoami` and `id`. The collected JSON is POSTed to the hardcoded URL `https://0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com/detox56`, a Burp Collaborator (oastify.com) subdomain controlled by whoever published the package. The package name mimics an internal-sounding scoped client and ships with empty author/description metadata, consistent with a dependency-confusion attack targeting a private package namespace. Any developer or CI system that installs this package immediately leaks host and user identity to the attacker's Collaborator endpoint.\n","modified":"2026-05-26T06:02:45.664255711Z","published":"2026-05-22T13:52:26Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-22T13:52:26Z","source":"amazon-inspector","sha256":"35b827956cab8e1ef741b2291e076175d7e61e4c19cff7faaf4ff94cf6792620","import_time":"2026-05-26T05:52:09.597331913Z","versions":["10.9.1"],"id":"IN-MAL-2026-004210"},{"modified_time":"2026-05-22T13:52:26Z","import_time":"2026-05-26T05:52:09.498565128Z","versions":["10.9.1"],"source":"amazon-inspector","sha256":"cd131719d20e013a4627e1ea402ffc26135d66a5d6dd35669b8a3a6fb85e5f76","id":"IN-MAL-2026-004209"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/osep-api-hub-service-client-v1/v/10.9.1"}],"affected":[{"package":{"name":"osep-api-hub-service-client-v1","ecosystem":"npm","purl":"pkg:npm/osep-api-hub-service-client-v1"},"versions":["10.9.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"f0380d53674f87e066935543c56fded022942ac5","sha512_sri":"sha512-YL3O0dgCurCqZ6c40W9LAyq+tIgl2XJRwRbbLtgfTowcuPE6A8xlLXpZSAgji+92PQnAmabSYUARQtZCFDk8kA=="},"filename":"osep-api-hub-service-client-v1-10.9.1.tgz"}],"evidence_files":[{"path":"index.js","sha256":"358592649438ef0e2e1176d3cafbc822adf727f6fffdea54524afd613e4ed9e3","tlsh":"5c5152c515f65a241ba7b8494a4f9002a327e0033545ee55bfcc8340af8837c97f0bf2"},{"path":"package.json","sha256":"fa9fd8adb20800478e419d98ed82b897834b64ef4937a406cef58b9475710292","tlsh":"c1d05e648e62553329c506a24c2ba456b2729f2f54157c08a3df582c41ceb7798fe31c"}],"domains":["0pqbxi1hplohnif3fa7tyc1at1zsnobd.oastify.com"]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-api-hub-service-client-v1/MAL-2026-4633.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}