{"id":"MAL-2026-5423","summary":"Malicious code in @nstrlabs/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355)\nOn `npm install`, the package's `preinstall` script (`node index.js || true`) executes automatically and collects host identifiers from the installer's machine — `os.hostname()`, `os.userInfo().username`, `__dirname`, and `process.cwd()` — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP `http://172.201.213.59:9090/c`. Second, the data is hex-encoded into a subdomain and resolved via DNS against `*.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live`, an Interactsh out-of-band beacon. The `|| true` suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.\n","modified":"2026-06-09T19:01:29.427332026Z","published":"2026-06-09T17:41:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T17:45:54.800420201Z","modified_time":"2026-06-09T17:41:29Z","source":"amazon-inspector","id":"IN-MAL-2026-005102","sha256":"3dc7b28e2c70c166b75e806b589dac5e2aae3dffe338f5b9f2707692dd1b8c17","versions":["99.0.1"]},{"import_time":"2026-06-09T17:45:54.771040179Z","modified_time":"2026-06-09T17:41:29Z","source":"amazon-inspector","versions":["99.0.1"],"sha256":"84a4bcae5f6897112304920f60d6cbb6cbe880104db4ef1ff69be17fbb69b8ac","id":"IN-MAL-2026-005101"},{"import_time":"2026-06-09T18:50:19.119930512Z","modified_time":"2026-06-09T17:55:14Z","source":"amazon-inspector","id":"IN-MAL-2026-005142","sha256":"36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355","versions":["99.0.0"]},{"import_time":"2026-06-09T18:50:19.200496564Z","modified_time":"2026-06-09T17:55:15Z","source":"amazon-inspector","versions":["99.0.0"],"sha256":"99c9771eea6e1ac9070aeee2d1c4a2264bfd92586e2af228932ca88f5fee0b0f","id":"IN-MAL-2026-005143"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@nstrlabs/utils/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@nstrlabs/utils/v/99.0.0"}],"affected":[{"package":{"name":"@nstrlabs/utils","ecosystem":"npm","purl":"pkg:npm/%40nstrlabs%2Futils"},"versions":["99.0.1","99.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/utils/MAL-2026-5423.json","indicators":{"evidence_files":[{"tlsh":"51f0e1e161a0d5f99b709590bdd4668457f3d656b04288f0dc4d0fcf46c24d09d769e1","path":"index.js","sha256":"70894a72ac8089a8f10aee8d420131e6179f13f6657f7dc30f3993e2fc2c042c"}],"package_integrity":[{"filename":"utils-99.0.1.tgz","hashes":{"sha512_sri":"sha512-1TBU/MWPugA8i5/hXTfWvZC8PZ686rS3UzMFrCAjCjqzBZxPTuSI+BvftBQvF3r1QeWg7SIRdPYKqF0wfvUmIQ==","sha1":"090ffb365209bc248de504cabc4197416b621e79"}}],"domains":["7b2268223a227363616e2d376232363339653061346434222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f7574696c73222c2263223a222f686f.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}