{"id":"MAL-2026-4650","summary":"Malicious code in pubnub-moderation-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (750918c1551873c10f69bc746538652a6adf047d6c76231a40832fff30b74938)\npackage.json declares \"preinstall\": \"node index.js\", causing index.js to run automatically on npm install. The script collects os.hostname(), os.userInfo(), home directory, DNS server list, package metadata, and the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com — a Burp Collaborator subdomain used as an out-of-band exfiltration sink. The package contains no functionality matching its declared name; metadata fields (author, description) are empty and the package name impersonates PubNub branding, consistent with dependency-confusion / typosquat bait. Installing this package leaks installer host identity and local system files to an attacker on every install.\n","modified":"2026-05-26T06:02:52.135924550Z","published":"2026-05-21T19:56:38Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.3"],"id":"IN-MAL-2026-004003","import_time":"2026-05-26T05:51:44.955474884Z","modified_time":"2026-05-21T19:56:38Z","sha256":"750918c1551873c10f69bc746538652a6adf047d6c76231a40832fff30b74938"},{"source":"amazon-inspector","versions":["1.0.3"],"id":"IN-MAL-2026-004004","import_time":"2026-05-26T05:51:45.046129328Z","modified_time":"2026-05-21T19:56:39Z","sha256":"86b6d7737de22762f813d12544a153142fab66e679a9c1055a83e6f0540c5fec"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pubnub-moderation-tool/v/1.0.3"}],"affected":[{"package":{"name":"pubnub-moderation-tool","ecosystem":"npm","purl":"pkg:npm/pubnub-moderation-tool"},"versions":["1.0.3"],"database_specific":{"indicators":{"domains":["vdcz3c5tmurvu7cqdfk9s524wv2nqee3.oastify.com"],"evidence_files":[{"path":"index.js","sha256":"440f77dc7b7d7a87a616118717a86de251f1c6a4c49fb6aba7ed74e5bc535a26","tlsh":"9e412399a2d917330de210c06a0c70c52359fa777259e99076cf42d69f869f8b7326f3"},{"path":"package.json","sha256":"2710c66ea7cc9f902726ef393fd4db9d523421ae729b9e919270e4ac1d306a28","tlsh":"ebd05e688d626933a5c10666482a945772728e6f14047c08678b982c91ce67798fb34d"}],"package_integrity":[{"filename":"pubnub-moderation-tool-1.0.3.tgz","hashes":{"sha1":"8d03cf03ee6cb14f32fbfe68bb0729bc17b66a03","sha512_sri":"sha512-hFRre7iOPqtRNuAJId77xDr5Zwu1N9YsFDL38mzsIJQJB8PtgMFdJgUjH7ouCHAkF+hYx2aoLKyopn0BnX+TEA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pubnub-moderation-tool/MAL-2026-4650.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}