{"id":"MAL-2026-5435","summary":"Malicious code in ac_semantic-ui_ts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d)\npackage.json declares a postinstall hook that runs canary.js, which issues an HTTP GET to bare IP 157.230.17.236 on port 80 with query parameters including os.hostname(), the package name and version, a nonce, and a lifecycle phase. The package name `ac_semantic-ui_ts` paired with the inflated version `99.99.100` is the canonical dependency-confusion shape — designed to win resolution over an internal/private registry entry of the same name. Any installer who resolves this package from public npm silently transmits their host identifier to an unencrypted, hardcoded, non-publisher endpoint with no opt-in. The README self-describes as an 'authorized benign dependency-confusion canary,' but the supply-chain mechanism — install-time exfiltration of installer host metadata to a third-party IP — is identical to a malicious dependency-confusion beacon, and any installer who pulls this unintentionally has their hostname leaked.\n","modified":"2026-06-09T18:01:33.864439177Z","published":"2026-06-09T17:16:45Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T17:45:48.54918157Z","source":"amazon-inspector","versions":["99.99.100"],"sha256":"f8b97f7d3e69494d0415e13aec8d9d51ce1f5912d8c1de45a1e563e2d1b01d3d","modified_time":"2026-06-09T17:16:45Z","id":"IN-MAL-2026-005008"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ac_semantic-ui_ts/v/99.99.100"}],"affected":[{"package":{"name":"ac_semantic-ui_ts","ecosystem":"npm","purl":"pkg:npm/ac_semantic-ui_ts"},"versions":["99.99.100"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_semantic-ui_ts/MAL-2026-5435.json","indicators":{"evidence_files":[{"tlsh":"de0119db44f2a23563fa08caa0a34e66b113c291322bacb0b88c05910f9ed9842325d5","sha256":"c415c911bad1ba1d3b0b18f814c766fc01f2f4cc825c364734a5ec1ed59c5c7b","path":"canary.js"},{"tlsh":"62e0e5249a104d3715d805d90c79556651a35c2b0a043d28b3ab509c475e6b726ff26e","sha256":"2c517d0148760f8cf6d108162dfc460e949bf00d2fef2809132ef52b3ce8c114","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-S1ufaamy20qdbxcrOceSh8KqLp5R0Jc48sEzmfRZWO4fdrdimRoBd2pQ/bpp7lW/CLuL9NwsuvM4cirCgkzz/g==","sha1":"0929e1ee3fc2c5dc9d585c7a51b56bb3c178adcc"},"filename":"ac_semantic-ui_ts-99.99.100.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}