{"id":"MAL-2026-4822","summary":"Malicious code in loadtest-browser-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e)\nOn `npm install`, the package's preinstall hook executes index.js, which collects host identifiers (hostname, username, platform, arch, cwd, pid, timestamp) and sends them as query parameters in an HTTPS request to `fxpkkxatijbbyxuhdclqig6334q9m1j8w.oast.fun`, an out-of-band callback host. package.json declares `\"preinstall\": \"node index.js\"`, so the beacon fires automatically on default install with no user interaction. The package self-describes as 'hijacking by yusif', consistent with a dependency-confusion / namespace-hijack proof-of-concept payload. Any installer running `npm install` leaks identifying machine information to the attacker's collaborator endpoint.\n","modified":"2026-05-26T17:01:45.780264429Z","published":"2026-05-26T15:27:31Z","database_specific":{"malicious-packages-origins":[{"sha256":"934a61b207f82f8549de09139a73a80f47746bba1dacd21f657d34e6e542324e","import_time":"2026-05-26T16:47:31.765363146Z","id":"IN-MAL-2026-004929","versions":["1.31.3"],"source":"amazon-inspector","modified_time":"2026-05-26T15:27:31Z"},{"sha256":"c81e2ecc8a6dfe7a5b7e5f2d1fd48690a5f1dff0dab6357f33eb2869c4db3c16","import_time":"2026-05-26T16:47:31.890863163Z","id":"IN-MAL-2026-004932","versions":["1.31.3"],"source":"amazon-inspector","modified_time":"2026-05-26T15:34:15Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/loadtest-browser-lib/v/1.31.3"}],"affected":[{"package":{"name":"loadtest-browser-lib","ecosystem":"npm","purl":"pkg:npm/loadtest-browser-lib"},"versions":["1.31.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loadtest-browser-lib/MAL-2026-4822.json","indicators":{"domains":["fxpkkxatijbbyxuhdclqig6334q9m1j8w.oast.fun"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-WtTPIxEi+V/9fmrWlQMzKj4GuyF6n0PH95tU0ysuwCu3UdbZfpyOcBkdexQ+G9K6AxNr5FWEOZ7yfAWRcaeCDg==","sha1":"9abbdcfbfb004854a95dcc974a6e487c5c11f298"},"filename":"loadtest-browser-lib-1.31.3.tgz"}],"evidence_files":[{"sha256":"f3a0f65846fb606655b12a8d7ce292057b06ad32b7193fbb3a1cd243c3e3f6fe","path":"index.js","tlsh":"6111e3f559f28a641dbb31c455866905a09ad1137d0df8fc7e5d43e00f8547a45a0ab4"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}