{"id":"MAL-2026-4710","summary":"Malicious code in walmart-shared-modules (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a)\nPackage declares `preinstall: node poc.js`, which on `npm install` collects host identity (os.hostname, whoami/id, ipconfig/ip a output), scrapes environment variables matching credential-shaped prefixes (TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, JENKINS, CI_, WALMART, WMT), reads the parent project's package.json and CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile), and HTTPS POSTs the aggregated JSON to a hardcoded interactsh OOB endpoint at d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me, plus a DNS callback with a hex-encoded hostname/username. The package is published at version 99.0.1 with a self-described 'Dependency Confusion PoC' purpose targeting Walmart's internal `walmart-shared-modules` namespace, intended to win npm's highest-version-wins resolution. Any installer outside Walmart's authorized testing scope still suffers full environment and CI-secret exfiltration; self-declared 'security research' framing does not neutralize the harm to unrelated installers.\n","modified":"2026-05-26T06:03:04.393295604Z","published":"2026-05-25T14:15:57Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:05.288171155Z","versions":["99.0.1"],"source":"amazon-inspector","id":"IN-MAL-2026-004687","modified_time":"2026-05-25T14:15:57Z","sha256":"963185e66a528f9fb7cb25980d37e538ddda90ec99330c003b3aa31a4cd516a7"},{"import_time":"2026-05-26T05:53:05.190338731Z","versions":["99.0.1"],"source":"amazon-inspector","id":"IN-MAL-2026-004686","modified_time":"2026-05-25T14:15:57Z","sha256":"e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/walmart-shared-modules/v/99.0.1"}],"affected":[{"package":{"name":"walmart-shared-modules","ecosystem":"npm","purl":"pkg:npm/walmart-shared-modules"},"versions":["99.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/walmart-shared-modules/MAL-2026-4710.json","indicators":{"domains":["walmart-shared-modules-7363616e2d39366661396566653930.d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me","d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-XANMC5dSfjjua3xPO0JVIlyC/8Hl4eVFgsVW5BgMza/OaPSS4PYM3r/F6bz7XvFb5j5L4rJJRYqM04JG4KqrVw==","sha1":"f9e6b76e04028cd5a2aa693c78aa28c834eba87a"},"filename":"walmart-shared-modules-99.0.1.tgz"}],"evidence_files":[{"path":"poc.js","tlsh":"4571c8d482fa1e30226a74b1f5cd000522d7d3933246f9d4798c1a919f9f4b482f67bd","sha256":"71fc07e0628fed895e841f0af5a76744429568513134461d78cc9bd6708ab10e"},{"path":"package.json","tlsh":"45e07d781870143316d8c6fa25b74547a128dd0b511c6c290b57348c42afb7301bfb5d","sha256":"6d83ebecd7ef09f18cbd25694484ecc5987fa68819e3f8b027ad89cbfb969c99"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}