{"id":"MAL-2026-5469","summary":"Malicious code in getd-transactional-web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fe5e89f2411faf9265508a84772d5667bb3095cf28937bb9e9ab80a215ff4208)\nOn `npm install`, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying os.hostname(), os.userInfo().username, os.platform(), process.cwd(), CI environment indicators (CI, BUILD_BUILDID, AGENT_NAME), and the package name/version. Errors are swallowed silently. The destination is an anonymous third-party request-bin, not a publisher-owned endpoint, so any party holding the webhook URL receives identifying information about every machine that installs this package. The package's README frames itself as a 'defensive squat' of the `@getd` scoped namespace, but the data flow — installer identifiers leaving the host to an unaffiliated request-bin without consent — is identical to a malicious typosquat beacon. The combination of a name that lures users targeting `@getd/*` and an unauthenticated metadata beacon at install time is installer-harming regardless of stated intent.\n","modified":"2026-06-09T21:01:34.784912038Z","published":"2026-06-09T20:29:19Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-005208","modified_time":"2026-06-09T20:29:19Z","sha256":"2a68055e3e75d6aa2b4661899cf358e96f8f902af1e0ac8ffadad30609dc42c0","versions":["0.0.1"],"import_time":"2026-06-09T20:45:54.031899396Z"},{"source":"amazon-inspector","id":"IN-MAL-2026-005207","modified_time":"2026-06-09T20:29:19Z","sha256":"fe5e89f2411faf9265508a84772d5667bb3095cf28937bb9e9ab80a215ff4208","versions":["0.0.1"],"import_time":"2026-06-09T20:45:53.938350293Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getd-transactional-web/v/0.0.1"}],"affected":[{"package":{"name":"getd-transactional-web","ecosystem":"npm","purl":"pkg:npm/getd-transactional-web"},"versions":["0.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"6e97d39be7b7d5719455ecc7ae3209e5a504e20d","sha512_sri":"sha512-i23TAsRw3Slkv1XZd5VPGr67LaBW6B3ZyPHtIGYq+KH6NQ61CcI4c6Y3PrLDtuye5/dkZKUGAU9HwuCa95PcnQ=="},"filename":"getd-transactional-web-0.0.1.tgz"}],"domains":["webhook.site"],"evidence_files":[{"tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e","sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164","path":"postinstall.js"},{"sha256":"3f43eec8fa98175e1871933dc3c52a1278c4553956559e6a440a8b26fff4d79a","tlsh":"9f01f42a7625163329c0675c1d33a80a3d228d575106791e27e7064583dfc6f85ff21e","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-transactional-web/MAL-2026-5469.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}