{"id":"MAL-2026-5474","summary":"Malicious code in getui-library (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a)\nOn `npm install`, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 with query parameters containing the installer's hostname (`os.hostname()`), username (`os.userInfo()`), platform (`os.platform()`), current working directory, CI environment indicators, package name/version, and a timestamp. Errors are silently swallowed to avoid breaking the install. The package's own description self-identifies as a typosquat placeholder for the `@getd/*` scoped namespace, so any developer who mistypes the intended package name is fingerprinted without consent. Regardless of the author's stated 'defensive security research' rationale, the technical behavior is unconsented installer-side identifier exfiltration to a third-party webhook collector triggered automatically by the postinstall lifecycle hook.\n","modified":"2026-06-09T21:01:35.352986079Z","published":"2026-06-09T20:28:59Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"25760a4672dd1edac426c0859125237d5a9a91268531665935249ea5bb4509a4","id":"IN-MAL-2026-005202","versions":["0.0.1"],"modified_time":"2026-06-09T20:29:00Z","import_time":"2026-06-09T20:45:53.064887883Z"},{"source":"amazon-inspector","sha256":"bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a","id":"IN-MAL-2026-005201","versions":["0.0.1"],"modified_time":"2026-06-09T20:28:59Z","import_time":"2026-06-09T20:45:52.873010617Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getui-library/v/0.0.1"}],"affected":[{"package":{"name":"getui-library","ecosystem":"npm","purl":"pkg:npm/getui-library"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getui-library/MAL-2026-5474.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-bZ9iYS5XNx/pb/59CejZ11om7OYlJCtolpyCaq3tZhD/SMdz7inuaMt1KSkDaT6Cn7cvFTosHzv5ZTVHmnJz5Q==","sha1":"099aaceb0d49acdf8e1691eab45d486993b5061e"},"filename":"getui-library-0.0.1.tgz"}],"domains":["webhook.site"],"evidence_files":[{"sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164","path":"postinstall.js","tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e"},{"sha256":"6d06923137755f5191e0c145140719fa06fc4d3cc72c3426e9e574c6bca0d397","path":"package.json","tlsh":"2401f42a76250a3339c0565c1c32980a3d528e5751067d1f27e7060143cfc6f85ff31e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}