{"id":"MAL-2026-4638","summary":"Malicious code in pewter-constantstest (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (050b19d8dad7c8c1a626c953493c23b375e434128f38950625f82b0fb244eabe)\nOn `npm install`, the `preinstall` script `callback.js` collects the installer's hostname, OS username, current working directory, npm registry configuration, and CI repository identifiers from a broad list of CI environment variables (GITHUB_REPOSITORY, CI_PROJECT_PATH, BUILD_REPOSITORY_NAME, BITBUCKET_REPO_FULL_NAME, TRAVIS_REPO_SLUG, DRONE_REPO, BUILDKITE_PIPELINE_SLUG, CIRCLE_PROJECT_REPONAME, JOB_NAME) and transmits them via plaintext HTTP GET to the hardcoded bare IP `http://75.119.137.232:31337/depconfuse`. The package has no functional surface: `index.js` exports an empty object, the description is the generic `Shared utility helpers.`, the README is 48 bytes, and the version is `9999.0.0` — the canonical dependency-confusion override version designed to win resolution against an internal package of the same name. The package exists solely to fire the beacon when an organization accidentally resolves this public name in place of a private/internal package, leaking the victim's identity and internal repo names to the attacker for follow-on targeting.\n","modified":"2026-05-26T06:02:49.171743542Z","published":"2026-05-23T18:19:29Z","database_specific":{"malicious-packages-origins":[{"sha256":"050b19d8dad7c8c1a626c953493c23b375e434128f38950625f82b0fb244eabe","import_time":"2026-05-26T05:52:29.06066637Z","id":"IN-MAL-2026-004379","modified_time":"2026-05-23T18:19:29Z","versions":["9999.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pewter-constantstest/v/9999.0.0"}],"affected":[{"package":{"name":"pewter-constantstest","ecosystem":"npm","purl":"pkg:npm/pewter-constantstest"},"versions":["9999.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"fc117bb9c78c1c3409c2178079686c1eb8fbe291338294917f2d71d26bb22b046b75b9","sha256":"a109dbdaf89dcb8929613bf8787e9d015c8cdf58a1bcd33faa14e320a210f78a","path":"callback.js"},{"tlsh":"5cd02e309b2258232cd8abd20c2a654202228e2b01083809278b801e55ae2a718bf28e","sha256":"fcf70fd33bd71cf981f9d0ae8125b6915a33c328592fa612f662c07ee187827e","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Xk2f1WYmerSQB45gzioLW4XzfVMHVLAJhkBFqjfXbrc82a6SJSzLCVmZyYw6kGrAnn0w5CpdSKIH6g5mbXgNwg==","sha1":"0e96eaf1325ffb6d1ad3af8f69990d5cfc43a122"},"filename":"pewter-constantstest-9999.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pewter-constantstest/MAL-2026-4638.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}