{"id":"MAL-2026-4634","summary":"Malicious code in osep-react-antd (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb)\npackage.json declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects host identifiers (os.hostname(), process.platform, arch, os.homedir(), os.userInfo() including uid/gid/username/shell, cwd) and the output of `whoami` and `id` via child_process, then POSTs the JSON payload to a hardcoded URL `https://qtn11857tbs7r8jtj0bj2250xr3jrafz.oastify.com/detox56`. The oastify.com host is Burp Suite Collaborator out-of-band infrastructure used to receive callbacks from compromised installers. The package name mimics React/Ant Design naming conventions and ships empty author/description/license metadata with no functional code beyond the beacon — the dependency-confusion squat shape. Installer harm: every `npm install` of this package leaks the installer's hostname, username, uid/gid, and shell to the attacker, identifying internal corporate environments and CI runners for follow-on targeting.\n","modified":"2026-05-26T06:02:46.266055766Z","published":"2026-05-22T14:04:36Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-22T14:04:36Z","import_time":"2026-05-26T05:52:09.882897463Z","sha256":"9373e8880ad89854cc168b48a36c59bd72abfaf220e08fb751b948f0c4d8ddfb","id":"IN-MAL-2026-004212","versions":["10.10.11"]},{"id":"IN-MAL-2026-004213","modified_time":"2026-05-22T14:04:37Z","import_time":"2026-05-26T05:52:10.014487093Z","sha256":"9dcc00a5c8ddc89b443480d79e52a071516f70ae6ed584eb55866c7b5297383f","source":"amazon-inspector","versions":["10.10.11"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/osep-react-antd/v/10.10.11"}],"affected":[{"package":{"name":"osep-react-antd","ecosystem":"npm","purl":"pkg:npm/osep-react-antd"},"versions":["10.10.11"],"database_specific":{"indicators":{"domains":["qtn11857tbs7r8jtj0bj2250xr3jrafz.oastify.com"],"package_integrity":[{"filename":"osep-react-antd-10.10.11.tgz","hashes":{"sha512_sri":"sha512-KAGFz9HnmdYA+ZLHWuF7k/IKtPYCH9If/h4vaUq05OEHmsJEj847bet+6V+1wMCTypSWFuCmNjrk7hza8AJ8kw==","sha1":"4a9c4cc9f8ce029c6d377e0ea81fcd8ea7df4052"}}],"evidence_files":[{"path":"index.js","sha256":"6e4e841afa6316d1f03cf17c94c2da05440872f74448180bcd086b367c86bf1a","tlsh":"135141c515f656251ba7b8494a4f9402a327e0033509ee55bfcc8340af8837c9bf0bf6"},{"path":"package.json","sha256":"dde96b4fa8155a134e7d81c015cba43f25f93e0f856bf85e8dc49496507bd795","tlsh":"e4d05e204d21553369c106a34c2b945672a19f2f04043c08a3cb692d418eb7788fa30d"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/osep-react-antd/MAL-2026-4634.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}