{"id":"MAL-2026-5350","summary":"Malicious code in @demica/resources (npm)","details":"**Note:** *This report is updated by a verification record*\n\nDep-confusion squat of internal @demica/resources at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); \"authorized canary\" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf)\nOn `npm install`, the package's `scripts.postinstall` executes `canary.js`, which issues an unconditional plain-HTTP GET to the hardcoded bare IP `157.230.17.236` on port 80 at path `/dc?...`. The query string includes `os.hostname()` (truncated to 200 chars) plus the package name, version, a nonce, and a phase identifier. This fires automatically on every install with no opt-out. The package self-describes as a 'dependency-confusion canary,' but it is published on the public npm registry under the `@demica/*` scope: any installer that resolves `@demica/resources` — including via accidental dependency confusion, typo, or curiosity install — will leak their hostname to the operator of that bare IP over unencrypted HTTP. The destination is an anonymous bare IP with no associated domain, publisher, or disclosure; hostname is an installer-side host identifier transmitted off-host to an attacker-shaped endpoint.\n","modified":"2026-06-09T18:01:35.187230635Z","published":"2026-06-09T07:52:42Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["99.99.100"],"import_time":"2026-06-09T17:45:48.781767216Z","modified_time":"2026-06-09T17:17:09Z","id":"IN-MAL-2026-005011","sha256":"98805b03541bafd28883acb75e8fd9d0e4ea947d75062563c34438dec82139bf"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KTMB44098ATG3YSX2G0Q9M23"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@demica/resources/v/99.99.100"}],"affected":[{"package":{"name":"@demica/resources","ecosystem":"npm","purl":"pkg:npm/%40demica%2Fresources"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.99.100"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@demica/resources/MAL-2026-5350.json","indicators":{"package_integrity":[{"filename":"resources-99.99.100.tgz","hashes":{"sha512_sri":"sha512-usZC4m0eLfBF338dOj+4GEhW8LQsktvuJjg2GysxcwscAQ1n9w3IwIkK1NkU/XbXDcJPwW9MjogsxCUnvttQFg==","sha1":"e3020603b20e1a28a9fa0a94f0a44d543be787e9"}}],"evidence_files":[{"sha256":"0383509dcbcb2b73adaf08369e849a006a06f130c703013f2b42b46a089fb5af","tlsh":"0401f1db88f2d231a3f609ca64a34e67f122d291326bacf0b88c19511f8e98c43755d4","path":"canary.js"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}