{"id":"MAL-2026-5393","summary":"Malicious code in @sflyinc-knapsack/shutterfly-react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d)\nOn require/load, index.js collects host identifiers (os.hostname(), os.userInfo(), os.homedir()), DNS server configuration, package.json metadata, and __dirname, then HTTPS-POSTs them to nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com — a Burp Collaborator (OAST) subdomain. The package is published at version 999.0.0 under a scope mimicking an internal Shutterfly namespace, designed to win npm version resolution against the legitimate private package. Any installer who imports this package leaks host and internal-package metadata to an attacker-controlled endpoint. The package's own description self-identifies as a dependency-confusion proof-of-concept, but the live registry artifact still executes against any consumer that resolves it.\n","modified":"2026-06-09T17:16:30.006604350Z","published":"2026-06-09T16:06:18Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T16:06:19Z","sha256":"8d25695a7eded18f548d50ed71fd21fb7eed6b20300c158dd0345659df729cc1","import_time":"2026-06-09T16:59:44.789424185Z","versions":["999.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-004964"},{"modified_time":"2026-06-09T16:06:18Z","sha256":"d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d","import_time":"2026-06-09T16:59:44.727246563Z","versions":["999.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-004963"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sflyinc-knapsack/shutterfly-react/v/999.0.0"}],"affected":[{"package":{"name":"@sflyinc-knapsack/shutterfly-react","ecosystem":"npm","purl":"pkg:npm/%40sflyinc-knapsack%2Fshutterfly-react"},"versions":["999.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sflyinc-knapsack/shutterfly-react/MAL-2026-5393.json","indicators":{"domains":["nlc574f24tq03k423v3jr7hllcr3ft3i.oastify.com"],"package_integrity":[{"hashes":{"sha1":"eafd12bebd0a167dc70228a97ebf225b4dac982b","sha512_sri":"sha512-FBskLH9SvuumJ8mzT8hgHuUiSaK7XNrHj8RxNFQCKtELW0c48I8yUvJONL0HP5nWaMQzbLKrMBJyNs7qjTuIAg=="},"filename":"shutterfly-react-999.0.0.tgz"}],"evidence_files":[{"sha256":"2d35a30029f166d5354591cea3a714bc43ce66b8ee66738b2ac593b8b8a05b0c","path":"index.js","tlsh":"a1118ce4c5e123600dba45947499e00822aae737750e6cd8f58d03d04fcaabd60b39f2"},{"path":"package.json","sha256":"1699a1bc2d8fa5edb4f5dba0810e8cf0514439d4ff892e46d653f9aa134b700b","tlsh":"dfe026b8c24054630de6c9e915726216681ecc372400fa69af4a125c92defb7da76768"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}