{"id":"MAL-2026-4637","summary":"Malicious code in pewter-constants (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5)\nOn `npm install`, a preinstall hook in callback.js collects os.hostname(), os.userInfo().username, process.cwd(), the configured npm registry (`npm_config_registry`), and CI repo identifiers (GITHUB_REPOSITORY, CI_PROJECT_PATH, BUILD_REPOSITORY_NAME) and HTTP-GETs them to `http://75.119.137.232:31337/depconfuse`. The package is shaped as a dependency-confusion squat: version `9999.0.0` to win semver resolution against an internal package of the same name, an empty `index.js` (`module.exports = {}`), and placeholder author/description metadata (`Security Researcher`, `Security research placeholder`). Any build that resolves `pewter-constants` from the public registry will install this package and silently leak its internal registry URL, CI repo path, and host/user identity to a third-party operator over plain HTTP. The 'security research' framing in the metadata does not change the installer-side impact — internal infrastructure is fingerprinted and disclosed without consent.\n","modified":"2026-05-26T06:02:49.149606081Z","published":"2026-05-23T17:41:32Z","database_specific":{"malicious-packages-origins":[{"sha256":"3c9f898fe8ed95b1d549bfff91d7c0dda0f75ada1c32a58af144940cf28b23c5","import_time":"2026-05-26T05:52:27.907183724Z","modified_time":"2026-05-23T17:41:32Z","versions":["9999.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-004369"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pewter-constants/v/9999.0.0"}],"affected":[{"package":{"name":"pewter-constants","ecosystem":"npm","purl":"pkg:npm/pewter-constants"},"versions":["9999.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constants/MAL-2026-4637.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-53NZh6fSnlnjnh8sr14zXFOJPp/I/eHg8J3jEpcDXaektjPfcLDo8wP9kSKG9wzKfSB9/AzbAujalxElFb75Hg==","sha1":"aa893fd3ec98b42fabdd658e5434d0029b6f8458"},"filename":"pewter-constants-9999.0.0.tgz"}],"evidence_files":[{"sha256":"681fd66df6380f3163de0c70cf621b81ada674401bd842b230dacd856933760a","path":"callback.js","tlsh":"1901bde9828858341cc313c4be956c1e98d7d3523283d4c2ab1d31e167531b486f65b9"},{"sha256":"e9f0be861735561b1077eb4480e2423b803d53550cd916e30663e47342a2b1c6","path":"package.json","tlsh":"f3e06814381468332cf686e504719256a065cd1f641a3c0ea746008ce38efdb82fb19e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}