{"id":"MAL-2026-5351","summary":"Malicious code in @demica/shared (npm)","details":"**Note:** *This report is updated by a verification record*\n\nDep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); \"authorized canary\" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dfc020ab633bac129072df0d74deea8e0a2e118b43dbebf01ba9bbf2b13b6e76)\n@demica/shared@99.99.100 declares `postinstall: node canary.js postinstall` in package.json, which fires automatically on `npm install`. canary.js issues a plaintext HTTP GET to bare IP 157.230.17.236:80 at path `/dc?...` with query parameters including `os.hostname()`, the package name/version, a nonce, and the lifecycle phase. The installer's host identifier is disclosed to a third-party endpoint over unauthenticated HTTP without consent. The package self-describes as a 'dependency-confusion canary' and uses an inflated version (99.99.100) under the @demica scope to outrank a presumed internal package of the same name — the canonical dependency-confusion attack shape. Regardless of the operator's stated intent, any party that resolves this public package on `npm install` is beaconed to an attacker-shaped destination (bare IP, plaintext HTTP, no opt-out).\n","modified":"2026-06-09T18:01:34.373834979Z","published":"2026-06-09T07:53:11Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:17:04Z","versions":["99.99.100"],"source":"amazon-inspector","id":"IN-MAL-2026-005010","import_time":"2026-06-09T17:45:48.736420074Z","sha256":"dfc020ab633bac129072df0d74deea8e0a2e118b43dbebf01ba9bbf2b13b6e76"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KTMB4DP7F1BBR64PST1HZSH9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@demica/shared/v/99.99.100"}],"affected":[{"package":{"name":"@demica/shared","ecosystem":"npm","purl":"pkg:npm/%40demica%2Fshared"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.99.100"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@demica/shared/MAL-2026-5351.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"canary.js","tlsh":"a0011edb48b1e27223f608caa0630e67f212d291326bacf07c8809411f8e88c4276994","sha256":"f0e043a9aa214fb0e7b51f2db91b34110f86ec47d1b9f986817ecfab32db66a2"},{"path":"package.json","tlsh":"b0e055209a100d3721d815d90c6e406391630c2b0a043d2873af405c575e3b726ff22e","sha256":"916dd2a16d4bcb559c5da020f7768ca235bc374942a61ffdd6c9b2758c4264c2"}],"package_integrity":[{"filename":"shared-99.99.100.tgz","hashes":{"sha1":"d65f625818583c60e1a94e298d6e8c2b64ac2783","sha512_sri":"sha512-pHwqm1rzcY74zztUBYZUW8fBzIPAI4pqH621RewuSQ78aZ2jpu6FEtOjydE1LxQcKVfhyapcAm3daqpQqR0F5A=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}