{"id":"MAL-2026-5462","summary":"Malicious code in @rockawayx/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab)\n@rockawayx/utils squats the unclaimed @rockawayx npm scope and runs a preinstall beacon on every install. package.json declares `\"preinstall\": \"node notify.js || true\"`; notify.js collects os.hostname(), os.userInfo().username, os.platform(), and a timestamp and POSTs them as JSON to https://2.25.140.71:8443/rockawayx/depconf-poc with `rejectUnauthorized: false` (TLS verification disabled). The destination is a hardcoded bare IPv4, not a publisher-owned domain. Any build that resolves @rockawayx/* against the public registry — the canonical dependency-confusion victim — will pull this package and silently transmit host identifiers to the bare IP. The README frames the package as authorized security research, but the code performs the same install-time exfiltration any dependency-confusion attacker would, and consumers in any pipeline (not only the targeted organization) trigger the beacon without consent.\n","modified":"2026-06-09T21:01:33.727843648Z","published":"2026-06-09T20:25:07Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.1"],"import_time":"2026-06-09T20:45:51.731061185Z","sha256":"e286c45b54ab9002ef8b7eec7ec686afc0bb82c2867c3640c460c8d1052b2bab","modified_time":"2026-06-09T20:25:07Z","id":"IN-MAL-2026-005196","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@rockawayx/utils/v/0.0.1"}],"affected":[{"package":{"name":"@rockawayx/utils","ecosystem":"npm","purl":"pkg:npm/%40rockawayx%2Futils"},"versions":["0.0.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"utils-0.0.1.tgz","hashes":{"sha512_sri":"sha512-Iob3BAbaJ/r08bPY2g3fvJS+WgzB0yisgfrhCeNW58O9ZxxxU8adaFlTkKSndxgOE6UJ2ljgSwWJ1DKXn3FgEA==","sha1":"838f7f1617519705a4229bc7842eb7ddd6ef5d92"}}],"evidence_files":[{"tlsh":"1701f4f45368ed706ff581e5e1f1a416d272f164b92b79f9e4d402aca35c1c404349f0","sha256":"0e1c40712f4e988386d5dd3fb02c4ff60ceda140c2bf4d7efefac7a6aaaa126a","path":"notify.js"},{"tlsh":"4ed097700824a43304c48be219b2820bb0a1cc1b10acbd0c1383010880ee7f389ff10d","sha256":"39e108d5b42518575ebc462916eda4cbcf80ee04c83d39c35a894585b35f07a5","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@rockawayx/utils/MAL-2026-5462.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}