{"id":"MAL-2026-5459","summary":"Malicious code in @dktunited/anly-tracker-v2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6)\nscripts/postinstall.js runs unconditionally during `npm install` and exfiltrates installer-side identifiers to an attacker-controlled out-of-band collector. The script fetches the installer's public IP from api.ipify.org, then collects `os.userInfo().username`, `os.hostname()`, `process.cwd()`, the package name, and the resolved IP, and transmits them to the hardcoded host `xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun` (an Interactsh OOB collector) via two channels: a `dns.lookup` of a hex-encoded subdomain and an `https.request` to `/poc` carrying the JSON payload base64-encoded in an `x-poc` header. The package is published at version 99.99.99 — the canonical dependency-confusion squat marker designed to outrank any internal `@dktunited/anly-tracker-v2` package by semver. Whether labeled a bug-bounty PoC by the author or not, it is live on the public registry and will harm any build system that resolves it.\n","modified":"2026-06-09T19:01:30.761942997Z","published":"2026-06-09T17:45:50Z","database_specific":{"malicious-packages-origins":[{"versions":["99.99.99"],"modified_time":"2026-06-09T17:45:50Z","id":"IN-MAL-2026-005121","sha256":"8a8893b914c3ba3139a3c8cede191521742237aa7c1c5d64f7ee45dbc5f636a6","source":"amazon-inspector","import_time":"2026-06-09T18:50:17.004838866Z"},{"versions":["99.99.99"],"modified_time":"2026-06-09T17:45:50Z","id":"IN-MAL-2026-005122","sha256":"f5592101eecb18abeaffb9d7f290c0dd32a9278e683f99432788680986e011bd","source":"amazon-inspector","import_time":"2026-06-09T18:50:17.18575481Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@dktunited/anly-tracker-v2/v/99.99.99"}],"affected":[{"package":{"name":"@dktunited/anly-tracker-v2","ecosystem":"npm","purl":"pkg:npm/%40dktunited%2Fanly-tracker-v2"},"versions":["99.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dktunited/anly-tracker-v2/MAL-2026-5459.json","indicators":{"domains":["7b22706b67223a2240646b74756e697465642f616e6c792d747261636b65.xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun","xjaipnfhcpawuhzlgzkzub8mc0rqdiuyp.oast.fun","api.ipify.org"],"package_integrity":[{"filename":"anly-tracker-v2-99.99.99.tgz","hashes":{"sha512_sri":"sha512-P5At0IIAvN7GdxikNEZztHPxiJlmHkAnvdbE1IjgyRbrqXRSm44HvH0TbFUdQONwZtr4XFWOwWnaSgdgFdk8xg==","sha1":"87c5fb06f0a358d560bebb6a6f2a5438ddae918f"}}],"evidence_files":[{"path":"scripts/postinstall.js","sha256":"aa9ca6d9e8623690bab98aef79f4b919052c7277f6037f08c87e27ad540dfe49","tlsh":"cc1102a872f09324057260c4ccabde1a5117e2137a46d961fbcc41949f446b8ecb2ef9"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}