{"id":"MAL-2026-4655","summary":"Malicious code in qr-code-styling-temp (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (004a5cc51cc0e38448c56189fb4437ad113eec163f7ae1a7692b88d6aed71182)\nThe package's `install` lifecycle script (`node index.js`) and its main entry both load `lib/core.js`, which reads `os.userInfo().username`, `os.hostname()`, and the current working directory basename and encodes them into a subdomain of `oob.sl4x0.xyz`, then triggers a `dns.resolve4` lookup of `samsung.\u003cuser\u003e.\u003chost\u003e.\u003ccwd\u003e.\u003cts\u003e.oob.sl4x0.xyz`. This is an out-of-band DNS exfiltration beacon that fires on every `npm install` and on every `require()` of the package, leaking installer identity to an attacker-controlled domain. Module names (`os`, `dns`, `process`, `userInfo`, `hostname`, `resolve4`) and the C2 domain are hidden as `String.fromCharCode` charcode arrays in lib/b02e30.js and lib/6ad264.js, with `os` and `dns` loaded via `module.constructor._load(...)` to evade static `require` scanners. The package name impersonates the popular `qr-code-styling` library but ships an unrelated API surface, and the author email `research@sl4x0.xyz` shares the same domain as the exfiltration host — confirming the typosquat lure and attacker-controlled infrastructure.\n","modified":"2026-05-26T06:02:51.402832942Z","published":"2026-05-19T18:45:27Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-19T18:45:27Z","id":"IN-MAL-2026-003240","import_time":"2026-05-26T05:50:16.384829394Z","source":"amazon-inspector","sha256":"004a5cc51cc0e38448c56189fb4437ad113eec163f7ae1a7692b88d6aed71182","versions":["9.9.10"]},{"versions":["9.9.11"],"id":"IN-MAL-2026-003248","import_time":"2026-05-26T05:50:17.416947799Z","source":"amazon-inspector","sha256":"20b1cb1f8211a6eb0d5b0ec3bb8cf8819cdd1c661c806e838d62f8c157e0e37f","modified_time":"2026-05-19T18:58:10Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/qr-code-styling-temp/v/9.9.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/qr-code-styling-temp/v/9.9.11"}],"affected":[{"package":{"name":"qr-code-styling-temp","ecosystem":"npm","purl":"pkg:npm/qr-code-styling-temp"},"versions":["9.9.10","9.9.11"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"lib/core.js","sha256":"d24415d02b2768deed6613ba41e3837825889459718a582d352a0805d40a321c","tlsh":"d0f02d69b393c48f97e096d0360a53d18559c3c0e7cf8195fb7c4a87904e7d1ca85a55"},{"path":"lib/b02e30.js","sha256":"1a2311c854ee8851bcbb6c5ec8cad943891f72e184b21bd9716581be36295af0","tlsh":"56e068073303c94fa1c80bfb7d0050e0aa0d8b58a21dc0d6b528678500af447c0c0632"},{"tlsh":"16218b22ce214c233ad969a0ad6d3941b4a70c974e547c0977c2522d8fdf26f12bf61d","sha256":"a30d0c5d786712e9c52406ca2a4e8671031aa6e93ee0b4512776bbe3c6cab583","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-veeCwOt/VuCzgo8x3TW2v2ZKMlOok62RbOn70hYbJJrmZjtI5EkJIYw9VNcOgY9qqStWgNhMNTWzZ6VMAwSXhg==","sha1":"07bf549e8950e4005997e20e77f7376de489af54"},"filename":"qr-code-styling-temp-9.9.10.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qr-code-styling-temp/MAL-2026-4655.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}