{"id":"MAL-2026-5467","summary":"Malicious code in getd-handler-api (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5)\nOn `npm install`, postinstall.js collects the installer's hostname, username, platform, current working directory, and CI-related environment variables, then sends them via HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 (postinstall.js line 18). Errors are silenced so the beacon runs invisibly during install. Although package.json describes itself as a 'defensive' typosquat placeholder for the @getd/* scope, installer-side identifiers leave the machine unconditionally without consent on every install, which is unauthorized data collection regardless of stated intent. The combination of a typosquat-shaped name and an automatic install-time phone-home is the standard namespace-abuse exfil pattern.\n","modified":"2026-06-09T21:01:34.415878489Z","published":"2026-06-09T20:29:13Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:53.810145104Z","id":"IN-MAL-2026-005206","modified_time":"2026-06-09T20:29:14Z","versions":["0.0.1"],"sha256":"63178df74f217762fac782de932a2278af8a58d904245550ba57e1ac020a2367","source":"amazon-inspector"},{"import_time":"2026-06-09T20:45:53.672396204Z","id":"IN-MAL-2026-005205","versions":["0.0.1"],"modified_time":"2026-06-09T20:29:13Z","sha256":"83398d27bb84d47296f796b4b2e6e9b5a0efc474add2e57592455e7d5d54eab5","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getd-handler-api/v/0.0.1"}],"affected":[{"package":{"name":"getd-handler-api","ecosystem":"npm","purl":"pkg:npm/getd-handler-api"},"versions":["0.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e","path":"postinstall.js","sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164"},{"tlsh":"0401f42a7625063329c05a9c1c32980a3d128e575106b91e27e7060143cfc6fc5ff31a","path":"package.json","sha256":"35bae2415a4fc2fdd87eb89fa7ae4f9c8fcf676623f5449e02596994c6765f17"}],"domains":["webhook.site"],"package_integrity":[{"hashes":{"sha1":"c2a4842ea9bc6de7fe883a57e2c3ebd8775f0c64","sha512_sri":"sha512-1IrRA0D9+dE4W9gATqE89sXUHzJ5WonUsD855pZrcK8JZdb4W2epZwrHGabdkyDOWpkN9PGhYEUF8flgXzMnCw=="},"filename":"getd-handler-api-0.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-handler-api/MAL-2026-5467.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}