{"id":"MAL-2026-4737","summary":"Malicious code in your-unique-package-name1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34)\nOn import in a browser context, index.js creates a hidden iframe pointing at https://www.pendo.io/?builder.frameEditing=true and postMessages a 'builder.patchUpdates' payload to 20 hardcoded builder-\u003cuuid\u003e resources, replacing their '/bindings/show' binding with an injected script. The injected script calls fetch('https://novus-api.pendo.io/pendo/app', {credentials:'include'}), base64-encodes the authenticated response, and beacons it in 2000-byte chunks to https://webhook.site/ea1a1f2d-46e2-463a-a1c1-48c53846dff4 via new Image().src. Any application that bundles this package will silently exfiltrate its end users' authenticated Pendo session data to an anonymous attacker-controlled webhook. The package self-describes as 'Security research PoC' but the destination is not a researcher-owned domain and the targeting (hardcoded victim UUIDs, credentials-included fetch) is consistent with a live attack rather than a contained PoC.\n","modified":"2026-05-26T06:03:07.465469583Z","published":"2026-05-25T02:44:28Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004569","import_time":"2026-05-26T05:52:51.563611848Z","modified_time":"2026-05-25T02:44:28Z","sha256":"8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34","versions":["1.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/your-unique-package-name1/v/1.0.0"}],"affected":[{"package":{"name":"your-unique-package-name1","ecosystem":"npm","purl":"pkg:npm/your-unique-package-name1"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/your-unique-package-name1/MAL-2026-4737.json","indicators":{"package_integrity":[{"hashes":{"sha1":"bcc7580ab94e7570290df4e578614426b6ccbaa1","sha512_sri":"sha512-HUHnRypedL351NSuz0qg6hvWwtjdWV7wgwpXP23/Wgef2MkZt2FoRw5v/xlSMIDkfiG70Y0a7rjMyCopZKZNrA=="},"filename":"your-unique-package-name1-1.0.0.tgz"}],"evidence_files":[{"tlsh":"dc411fbb2330049416b3616669379f1bf4b32b3b94e18992f8bacb64d5a3a801471b4d","path":"index.js","sha256":"5c332aea70085f86d39ea772daacebddd49e4cafd182b3713582ddc0d361198d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}