{"id":"MAL-2026-5344","summary":"Malicious code in @bancolonbia/menu-filter-widget-web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e)\npackage.json declares `scripts.postinstall: node./callback.js`, which fires automatically on `npm install`. callback.js reads the installer's hostname and transmits it to a hardcoded Burp Collaborator domain (`3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com`) via two channels: an HTTPS GET to `/\u003ctoken\u003e/\u003cencodeURIComponent(host)\u003e` and a DNS lookup against a subdomain encoding the same token + hostname. The package self-describes as an \"authorized security research PoC\" but is published under the `@bancolonbia` scope (a likely typosquat of the Bancolombia corporate namespace), matching the classic dependency-confusion shape: a private-looking scoped name registered publicly so a misconfigured internal build resolves to this package and beacons victim identity to the researcher/attacker. Whether or not the operator is authorized by Bancolombia, any third party who installs this package has their hostname exfiltrated to an attacker-controlled Collaborator endpoint without consent.\n\n## Source: ossf-package-analysis (fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6)\nThe OpenSSF Package Analysis project identified '@bancolonbia/menu-filter-widget-web' @ 0.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T21:01:33.341652429Z","published":"2026-06-09T09:20:38Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T10:41:56.224884127Z","source":"ossf-package-analysis","sha256":"fff12ed8f9f042d996b7c1167a9987b941eedcdedd7dbc2065579c4394e5b8b6","modified_time":"2026-06-09T09:20:38Z","versions":["0.0.1"]},{"id":"IN-MAL-2026-005240","import_time":"2026-06-09T20:45:58.996454307Z","source":"amazon-inspector","sha256":"3cca61c689abd692e18d4d07a8daed2b9e6d0b27348a20804f6422ffc1cce978","modified_time":"2026-06-09T20:43:20Z","versions":["0.0.1"]},{"id":"IN-MAL-2026-005239","import_time":"2026-06-09T20:45:58.783658545Z","source":"amazon-inspector","sha256":"76511e7873dc4a76b8447f91807e48289877ee612cd0d94526206390bbda7f3e","modified_time":"2026-06-09T20:43:20Z","versions":["0.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@bancolonbia/menu-filter-widget-web/v/0.0.1"}],"affected":[{"package":{"name":"@bancolonbia/menu-filter-widget-web","ecosystem":"npm","purl":"pkg:npm/%40bancolonbia%2Fmenu-filter-widget-web"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bancolonbia/menu-filter-widget-web/MAL-2026-5344.json","indicators":{"evidence_files":[{"path":"callback.js","sha256":"a1796ad3ed640844791551a0cfc9aabe691ec7ffe3431212c70e3c061254260b","tlsh":"b601c2fe06c4c73c594035c1e156543ae1abf244718699f0b46f321243e657626734f9"},{"path":"package.json","sha256":"43e2aea1b070a51a39ac3ee0be364a3160786de0d3b0f3dc37e866d2445f5c00","tlsh":"30d0a7b05d0346773cd1ff9b0932429e5578cf197649852d19f16364846a9f4417136d"}],"domains":["3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com","poc-widget-001.scan-85faf31ba8d1.3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com"],"package_integrity":[{"hashes":{"sha1":"46e98db4f946069b86db6c0c0eb9b02151f62c1a","sha512_sri":"sha512-D3bjH6oQbez4IFEq0UDAnAHVJtHwy8EQRexa0wGsDEGT0b1DU3vmFaHvhFFY8lgbvWtjbvINdKZYD3WmYR1Usw=="},"filename":"menu-filter-widget-web-0.0.1.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}