{"id":"MAL-2026-5465","summary":"Malicious code in getd-content-management (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b)\nThe unscoped package name 'getd-content-management' impersonates the legitimate @getd/* npm scope (acknowledged in the package's own README). On `npm install`, the postinstall.js lifecycle script collects host identifiers via `os.hostname()`, `os.userInfo().username`, `os.platform()`, `process.cwd()`, and CI-related environment variables (CI, BUILD_BUILDID, AGENT_NAME), and transmits them as query-string parameters in an HTTPS GET request to `https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5` — a generic third-party request-capture service unrelated to any publisher infrastructure. Errors are silently swallowed so the installer sees no indication the call occurred. The combination of name-confusion against an existing scope and silent install-time beaconing of internal hostnames, user accounts, build paths, and CI agent identity to an attacker-controlled capture URL is operationally indistinguishable from a malicious typosquat regardless of how the README frames the behavior.\n","modified":"2026-06-09T21:01:34.153626459Z","published":"2026-06-09T20:28:53Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:52.276871435Z","versions":["0.0.1"],"id":"IN-MAL-2026-005199","source":"amazon-inspector","sha256":"44eb41541c340c710ad8afc366ab4642d3809d8d9afef53b99e3704b9dfb684b","modified_time":"2026-06-09T20:28:53Z"},{"import_time":"2026-06-09T20:45:52.59260818Z","versions":["0.0.1"],"id":"IN-MAL-2026-005200","source":"amazon-inspector","sha256":"efaa0ace9a4e74cb70a973143ccb7abd217de77d7fcd7bb588536de79c3d360c","modified_time":"2026-06-09T20:28:53Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getd-content-management/v/0.0.1"}],"affected":[{"package":{"name":"getd-content-management","ecosystem":"npm","purl":"pkg:npm/getd-content-management"},"versions":["0.0.1"],"database_specific":{"indicators":{"evidence_files":[{"path":"postinstall.js","tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e","sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164"},{"path":"package.json","tlsh":"eb01f42a762506332dc0565c1c33a80a3d128d575106791e27e7060543dfd6fc5ff31e","sha256":"cef184b2894c435c28fd0db2148e4703520d4e761ce8e68c944664e359efe12e"}],"package_integrity":[{"hashes":{"sha1":"973909615c7d01b0ce25dab5c1a1f9a1b62f8251","sha512_sri":"sha512-/y3MBk3R+9IfzrY8WpyIS5KtygJpeHWQfToiAezZYNRKmmfG48ORWSqoJyBui0RkX4uzjPu47IKdmyF4hX4dGw=="},"filename":"getd-content-management-0.0.1.tgz"}],"domains":["webhook.site"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-content-management/MAL-2026-5465.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}