{"id":"MAL-2026-4664","summary":"Malicious code in search-connector-template (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4)\npackage.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identity (hostname, username, homedir, DNS servers) and reads installer-owned system files (/etc/passwd, /etc/hosts), then POSTs the JSON payload over HTTPS to a Burp Collaborator OAST subdomain (`615arnt4a5f6ii011q8kggqfk6q1er2g.oastify.com`). This is a classic install-time exfiltration beacon: the destination is attacker-controlled, the data leaving the host belongs to the installer rather than the package author, and execution requires no user action beyond running `npm install`.\n","modified":"2026-05-26T06:02:53.188530189Z","published":"2026-05-21T21:00:37Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-004028","modified_time":"2026-05-21T21:00:37Z","versions":["1.1.0"],"import_time":"2026-05-26T05:51:48.001077959Z","sha256":"24aea8e5a7338c49dc96e3945ed4d695024c2e169f560e6f3426005ca4666ea4"},{"source":"amazon-inspector","id":"IN-MAL-2026-004029","modified_time":"2026-05-21T21:00:37Z","versions":["1.1.0"],"import_time":"2026-05-26T05:51:48.125046094Z","sha256":"a3b0d5dda5e0170aec1d5dca46e941693ed27c658a8248cc91ad3f44c73b4fec"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/search-connector-template/v/1.1.0"}],"affected":[{"package":{"name":"search-connector-template","ecosystem":"npm","purl":"pkg:npm/search-connector-template"},"versions":["1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/search-connector-template/MAL-2026-4664.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"index.js","tlsh":"48411199a2d917330dd214c06a0c70843359fab77159e89076cf42d6af869f8b7326f3","sha256":"3d83c4041eacd79f92abcd9a38423649f87bd2a9511a0b0d4c4576adde940b48"}],"package_integrity":[{"filename":"search-connector-template-1.1.0.tgz","hashes":{"sha512_sri":"sha512-AIp0nWctK7zuIlYivThStvi7v7GxvNdKyM/3cUHpWC9op3PDyuzA3XGko6y+Y8WkmuLKa9309Yb/C5o4Xi+lfQ==","sha1":"d87841c1529f2b36a78e815b78b7a2a95f2a93d2"}}],"domains":["615arnt4a5f6ii011q8kggqfk6q1er2g.oastify.com"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}