{"id":"MAL-2026-5415","summary":"Malicious code in @klapp-login-platform/routes (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7)\nOn `npm install`, the package's `preinstall` lifecycle hook executes `index.js`, which collects the installer's hostname, username, package install path (`__dirname`), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of `d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint `http://172.201.213.59:9090/c`. The package ships almost no functional code; its purpose is the beacon. The scope `@klapp-login-platform` paired with an inflated `99.0.2` version and a generic `routes` name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.\n","modified":"2026-06-09T19:01:29.401203322Z","published":"2026-06-09T17:35:02Z","database_specific":{"malicious-packages-origins":[{"versions":["99.0.2"],"modified_time":"2026-06-09T17:35:02Z","import_time":"2026-06-09T17:45:52.482280328Z","id":"IN-MAL-2026-005068","sha256":"c9f6b9efd71eddb881438d2ca27620bd74bfb2d294c4c93a31810f9b4a0398be","source":"amazon-inspector"},{"versions":["99.0.2"],"modified_time":"2026-06-09T17:35:02Z","import_time":"2026-06-09T17:45:52.373735047Z","id":"IN-MAL-2026-005067","sha256":"ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7","source":"amazon-inspector"},{"versions":["99.0.0"],"modified_time":"2026-06-09T17:50:25Z","import_time":"2026-06-09T18:50:17.933705372Z","id":"IN-MAL-2026-005128","sha256":"e9913ce094c3b9378054947a30b6006a21c13aaac0cca90b707c13a81c962894","source":"amazon-inspector"},{"versions":["99.0.0"],"modified_time":"2026-06-09T17:50:25Z","import_time":"2026-06-09T18:50:17.983040368Z","id":"IN-MAL-2026-005129","sha256":"bb01db4904bb167c8048cc3cb668a0e554a972e0a68c95ff18df9d161affef7f","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@klapp-login-platform/routes/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@klapp-login-platform/routes/v/99.0.0"}],"affected":[{"package":{"name":"@klapp-login-platform/routes","ecosystem":"npm","purl":"pkg:npm/%40klapp-login-platform%2Froutes"},"versions":["99.0.2","99.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"domains":["7b2268223a227363616e2d633064633039326164646639222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d6c6f67696e2d706c6174666f726d2f726f75.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"],"evidence_files":[{"path":"index.js","tlsh":"74f00ce162b0d0f98b708580ecc4668056b7c256b002c8e4dc0c0ece0ac24e05c76ae1","sha256":"750349cd1da7c9d227661c16f90045833969a85566dd871d67ee883d5dc29557"},{"path":"package.json","tlsh":"65d022381a31b836076142f0a8b5ac4c60f8c2181080cd0c8ee680b085b17e8809e001","sha256":"e9809650aaa6c44320524f04e89824561ea013d96df0a3a6f30c84bac913460e"}],"package_integrity":[{"filename":"routes-99.0.2.tgz","hashes":{"sha1":"d961c8641c2be0e25e2d18dc6033b64ce3abca31","sha512_sri":"sha512-f5bb4sAmD2CgVUsX6Ls+8wBJdg22O9YtS5EgxcyfXeAEfKmAHZ6K7xv4g6OzBR0vzXWCX6pIOqXTL8b4wAKivQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-login-platform/routes/MAL-2026-5415.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}