{"id":"MAL-2026-5422","summary":"Malicious code in @nstrlabs/shared-components (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445)\nOn `npm install`, the package's preinstall script runs index.js, which collects host identifiers (os.hostname(), os.userInfo().username, __dirname, process.cwd(), package name) and ships them to two attacker-controlled destinations: (1) a hex-encoded DNS subdomain query against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live` (Interactsh-style out-of-band exfiltration), and (2) an HTTP POST of the same JSON payload to bare IP `http://172.201.213.59:9090/c`. The package is published under `@nstrlabs/shared-components` at version `99.0.0` with description `security research` — a high semver against a generic scoped name consistent with a dependency-confusion attack targeting an internal `nstrlabs` namespace. There is no legitimate library functionality; the preinstall beacon is the package's only effect.\n","modified":"2026-06-09T19:01:29.425946433Z","published":"2026-06-09T17:38:39Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005086","import_time":"2026-06-09T17:45:53.742254201Z","sha256":"af9737388d5d3e4542198eb5ae3bb13c2d13eefc97331fb32ed105626218776a","modified_time":"2026-06-09T17:38:39Z","source":"amazon-inspector","versions":["99.0.1"]},{"id":"IN-MAL-2026-005087","import_time":"2026-06-09T17:45:53.884376129Z","sha256":"ebac43bd1c2448eeb204605bf63cd432020d8bbb4f6d52519ab1a88ac43137d8","modified_time":"2026-06-09T17:38:39Z","source":"amazon-inspector","versions":["99.0.1"]},{"id":"IN-MAL-2026-005152","import_time":"2026-06-09T18:50:20.378210193Z","sha256":"efc72373a5a06d31becb2dd02ced949866c9da14ae6d0bfdb3b4f4c882e40445","modified_time":"2026-06-09T17:56:40Z","source":"amazon-inspector","versions":["99.0.0"]},{"id":"IN-MAL-2026-005153","import_time":"2026-06-09T18:50:20.502421363Z","sha256":"2726b4c9e7c8d06bdcf4396f2e33ee39e620b79710e5fbe6ca2b9dbe6dc50dcc","modified_time":"2026-06-09T17:56:40Z","versions":["99.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@nstrlabs/shared-components/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@nstrlabs/shared-components/v/99.0.0"}],"affected":[{"package":{"name":"@nstrlabs/shared-components","ecosystem":"npm","purl":"pkg:npm/%40nstrlabs%2Fshared-components"},"versions":["99.0.1","99.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"b75d5f584b998d1021ac03ad2f939fb9aa1b18728dce12f7deeca3fa5e5909be","tlsh":"79f00ce121a0d0bdaba09590bd946a8153f3c256b04288f0dc0d0ecf06c24d05c7a9e1","path":"index.js"},{"tlsh":"51d012782920b836769582f169766c4e72e9825454c448444ae305b495f279c906e056","sha256":"bbae3ef6b8bf185e555478fdb63509731c179a7a8f2090e81d5f0f727a6145e1","path":"package.json"}],"domains":["7b2268223a227363616e2d613363633035653930393163222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f7368617265642d636f6d706f6e656e.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-tbaAnEmOtwq+B94s8PaRoBeyn9+Ppfq3glSS/5hNp6neWNyNgdApl1ZsHucGxxtWZfzNer0v9wVoAF72H6s+8A==","sha1":"d4d2395b155be0c475087ebe378db675bfab86fd"},"filename":"shared-components-99.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/shared-components/MAL-2026-5422.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}