{"id":"MAL-2026-5407","summary":"Malicious code in @card-pci-data/store (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871)\nOn `npm install`, the package's preinstall hook (`scripts.preinstall: node index.js || true`) runs index.js which collects host identity — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — and exfiltrates it through two channels: (1) an HTTP POST to the hardcoded bare IP `172.201.213.59:9090/c`, and (2) a DNS resolution of a hex-encoded label appended to `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an interactsh-style out-of-band beacon). The package has no advertised functionality beyond this beacon; its description is `security research` and the scoped name `@card-pci-data/store` impersonates payment-card / PCI-related tooling, consistent with a dependency-confusion or namespace-abuse lure. This auto-executes on default install and produces clear attacker benefit (installer host fingerprint delivered to attacker-controlled infrastructure).\n","modified":"2026-06-09T19:01:30.778108907Z","published":"2026-06-09T17:35:53Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:35:54Z","versions":["99.0.1"],"id":"IN-MAL-2026-005079","import_time":"2026-06-09T17:45:53.245710638Z","sha256":"33b09478f47cfd67351be7f721c43e09b762c10c8a906841cfbd23831402545e","source":"amazon-inspector"},{"modified_time":"2026-06-09T17:35:53Z","versions":["99.0.1"],"id":"IN-MAL-2026-005078","import_time":"2026-06-09T17:45:53.147066206Z","sha256":"9a82d7b7e7588c4b773e2948eb1707e62f2fcece2bec37a23eda5d5058eae871","source":"amazon-inspector"},{"modified_time":"2026-06-09T17:55:24Z","versions":["99.0.0"],"id":"IN-MAL-2026-005147","import_time":"2026-06-09T18:50:19.635342359Z","sha256":"779786fd07ed03346ff0fac4649d39b7d75f0e02269dda4247843e6b5fa409b3","source":"amazon-inspector"},{"modified_time":"2026-06-09T17:55:24Z","versions":["99.0.0"],"id":"IN-MAL-2026-005146","import_time":"2026-06-09T18:50:19.473340045Z","sha256":"4665eb8e66828c47db4912fce66beb3d7a30609a37a48a81d6010d796ba4fbf6","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@card-pci-data/store/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@card-pci-data/store/v/99.0.0"}],"affected":[{"package":{"name":"@card-pci-data/store","ecosystem":"npm","purl":"pkg:npm/%40card-pci-data%2Fstore"},"versions":["99.0.1","99.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@card-pci-data/store/MAL-2026-5407.json","indicators":{"domains":["7b2268223a227363616e2d313566656561353430633565222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f40636172642d7063692d646174612f73746f7265222c226322.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"],"package_integrity":[{"filename":"store-99.0.1.tgz","hashes":{"sha512_sri":"sha512-8F1mWva0CQzXAqQWuzO39czBXg1eyQJAN8xQSg8pHVaJVqlCpDE9wD1pBxA8SqEoEefVp3H5T7ol+jAZuZ0Liw==","sha1":"1b8ac6d1426ccf779b7405be08b567c6a7d78d88"}}],"evidence_files":[{"path":"index.js","sha256":"5e6a71454d901349dd305b024607124b6e60d0de67c15f724432ab876f883169","tlsh":"fdf041e222b0d0fd9b708a90bcc46a8053b3d642b00288f0dc4c0fcf06c28d05d769f1"},{"path":"package.json","sha256":"174ce00326dc0301df92e6230104dbfc4d07580f7d83a0e6904a523ee26d4580","tlsh":"f6c012782930b8361aa587f169766c4c71f98654508449084ae6517495b6bd891ad015"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}