{"id":"MAL-2026-5472","summary":"Malicious code in getd-web-corporativa (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6751d3ca04c2ae596f7e809e339770edaed576060d361c061311960b0a3a7033)\nOn `npm install`, postinstall.js performs an HTTPS GET to a hardcoded webhook.site receiver, leaking the installer's hostname, OS username, platform, current working directory, package name/version, CI/build indicators, and a timestamp via URL query parameters. Errors are swallowed so installation appears to succeed silently. The destination is a public webhook collector — any party holding the UUID path can read every submission, so this is unauthenticated host reconnaissance suitable for follow-on targeting. The package's name resembles the `@getd/*` scope but is published unscoped by `jplopezy (defensive-squat)` with no repository and a placeholder homepage; the README's 'defensive squat telemetry' framing does not change the fact that installer-side identity data is shipped off-host without consent on every install. The package has no other functionality.\n","modified":"2026-06-09T21:01:35.078614863Z","published":"2026-06-09T20:25:50Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:52.074664472Z","source":"amazon-inspector","versions":["0.0.1"],"sha256":"6723001bb39dec6418cd295ccf96bfbde8f1c5ada178ce70882f1b4ba1d31ffe","modified_time":"2026-06-09T20:25:51Z","id":"IN-MAL-2026-005198"},{"import_time":"2026-06-09T20:45:51.919184284Z","source":"amazon-inspector","versions":["0.0.1"],"sha256":"6751d3ca04c2ae596f7e809e339770edaed576060d361c061311960b0a3a7033","modified_time":"2026-06-09T20:25:50Z","id":"IN-MAL-2026-005197"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getd-web-corporativa/v/0.0.1"}],"affected":[{"package":{"name":"getd-web-corporativa","ecosystem":"npm","purl":"pkg:npm/getd-web-corporativa"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-web-corporativa/MAL-2026-5472.json","indicators":{"evidence_files":[{"tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e","sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164","path":"postinstall.js"},{"tlsh":"c701f42a7625463329c0179c2c32980e3d228e575106791e27f7064583dfd6f86ff31a","sha256":"f7eb22924f9a257006e3eceb6093dc7551a15e8401e09b170455e0c793e4f919","path":"package.json"}],"domains":["webhook.site"],"package_integrity":[{"filename":"getd-web-corporativa-0.0.1.tgz","hashes":{"sha512_sri":"sha512-cF+S9qLbeRG0unokXUlMYD3j0uvcXpFbVPtHwd5x6VMyOhdL23mIjJjhdZmDrE37bkhQ1xLtuWWnFzml04QjDw==","sha1":"ff5647acc5bd2b5e88fcdf01a6c37d78b623208a"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}