{"id":"MAL-2026-5287","summary":"Malicious code in uhd-setup (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99)\npackage.json declares `scripts.preinstall: node index.js`. On `npm install`, index.js (lines 4-5) performs `dns.resolve` and `https.get` against `\u003cid\u003e.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online`, an Interactsh OAST collector. The request fires unconditionally with no opt-out, leaking the installer's egress IP, internal DNS resolver identity, and fact-of-install (with the package id encoded in the subdomain and URL path) to a third-party-controlled endpoint. The README frames this as authorized dependency-confusion research targeting Ubiquiti, but the beacon does not gate on any organizational identifier — any installer that pulls this name (typo, internal-name collision, automated mirror) sends build-system metadata to the researcher. Trigger is the preinstall lifecycle hook, so the network call fires before any code review opportunity.\n\n## Source: ossf-package-analysis (358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da)\nThe OpenSSF Package Analysis project identified 'uhd-setup' @ 99.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T21:01:37.174433540Z","published":"2026-06-06T19:02:40Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-06T19:34:10.035644618Z","modified_time":"2026-06-06T19:02:40Z","source":"ossf-package-analysis","sha256":"358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da","versions":["99.0.0"]},{"import_time":"2026-06-09T20:45:59.815869001Z","modified_time":"2026-06-09T20:44:09Z","source":"amazon-inspector","versions":["0.0.1-security-research"],"id":"IN-MAL-2026-005244","sha256":"7cf641e43172371f2f9c843ad0b68bad139485231e30e9ef8072197977d9f2d5"},{"import_time":"2026-06-09T20:45:59.636747398Z","modified_time":"2026-06-09T20:44:08Z","source":"amazon-inspector","versions":["0.0.1-security-research"],"id":"IN-MAL-2026-005243","sha256":"8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/uhd-setup/v/0.0.1-security-research"}],"affected":[{"package":{"name":"uhd-setup","ecosystem":"npm","purl":"pkg:npm/uhd-setup"},"versions":["99.0.0","0.0.1-security-research"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uhd-setup/MAL-2026-5287.json","indicators":{"package_integrity":[{"hashes":{"sha1":"de2cb00c9af2ba56f4a5ce21f9c7d2e6d83cbd44","sha512_sri":"sha512-lABJRYBYdkO2B7/Rz9B/BGbBCMTcCbWkCQbs1Ma9nT8yiOWSk9EZWllD86u7jBpcxROo1ClkuUIezLDRFgtvIg=="},"filename":"uhd-setup-0.0.1-security-research.tgz"}],"evidence_files":[{"sha256":"360abfce2267dda034c4ab35ec47909a7b4e1a299ca7a14d6112537a352e11ea","path":"index.js","tlsh":"21d0c2f923e1f27809a1a8d4d285f92e8403d00033ac9054d02846b49c83b79a8f08d0"}],"domains":["d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online","uhd-setup.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}