{"id":"MAL-2026-5445","summary":"Malicious code in grateful-payments (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471)\nOn `npm install`, the package's postinstall script (src/canary.js) performs a DNS lookup and HTTPS GET to the hardcoded host `96e03fa6c292469a-172-245-86-254.serveousercontent.com` at path `/c`. serveousercontent.com is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to a verifiable publisher. Every installer's machine emits an unconsented outbound network call at install time, revealing source IP, DNS resolver path, and install timing to the tunnel operator — a classic install-fleet beaconing pattern used to confirm compromise reach. The package's own metadata describes itself as a HackerOne research canary with an empty main module, but the install-time network behavior is identical to a real install-time beacon and runs on anyone who installs this version.\n","modified":"2026-06-09T18:01:36.298969041Z","published":"2026-06-09T17:44:25Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:44:25Z","id":"IN-MAL-2026-005111","import_time":"2026-06-09T17:45:55.14610098Z","versions":["99.0.0-canary.1"],"sha256":"1a7a07a0a09ed8037058353b9b9b067e25e3cbe783eaab8d54276d490f823471","source":"amazon-inspector"},{"import_time":"2026-06-09T17:45:55.210202067Z","id":"IN-MAL-2026-005112","versions":["99.0.0-canary.1"],"modified_time":"2026-06-09T17:44:25Z","sha256":"bbd4cc6cf034de9a6a7d4edd97f5fcea8b806ad98dacb14372e5a632477861ad","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/grateful-payments/v/99.0.0-canary.1"}],"affected":[{"package":{"name":"grateful-payments","ecosystem":"npm","purl":"pkg:npm/grateful-payments"},"versions":["99.0.0-canary.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45","tlsh":"4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238","path":"src/canary.js"},{"sha256":"a1f33f0eb9897a7fab0e5b2cc2842e0c27f448ec1eae4cb20a2a255d689bc72d","tlsh":"53d09704e82042233cc88ee30da0c08b81286c031260ad2893639040310ca774ff7100","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-5PJTf1wBLN0XCBNbqy/1BGkdxDh5A6UfUm4lGzkvgQrIV7VaHF34iK+uiTH3o7XJNLf07Tb/Sk6JX5bXdqrHkg==","sha1":"c76573be2ecde7f4dd39bfce542e49babc80ee9c"},"filename":"grateful-payments-99.0.0-canary.1.tgz"}],"domains":["96e03fa6c292469a-172-245-86-254.serveousercontent.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/grateful-payments/MAL-2026-5445.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}