{"id":"MAL-2026-5486","summary":"Malicious code in menu-filter-widget-web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce)\npackage.json declares a postinstall lifecycle hook that runs callback.js on every npm install. callback.js reads os.hostname() and sends it to a hardcoded oastify.com (Burp Collaborator) URL via HTTPS GET, with a fallback DNS lookup that embeds the hostname as a subdomain label. Both channels carry a unique token plus the installer's hostname, registering the install with a remote attacker-controlled collaborator on every install. The package self-describes as a 'PoC' but is published to the public registry, so any installer leaks host identity automatically without consent.\n","modified":"2026-06-09T21:01:37.126082628Z","published":"2026-06-09T20:43:12Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005238","versions":["0.0.1"],"modified_time":"2026-06-09T20:43:13Z","source":"amazon-inspector","sha256":"6dbcaf0b132c21e578d8caafa01a8740d4c1aa8ef82f9cdeaaf46536027a9d92","import_time":"2026-06-09T20:45:58.555265086Z"},{"id":"IN-MAL-2026-005237","versions":["0.0.1"],"modified_time":"2026-06-09T20:43:12Z","source":"amazon-inspector","sha256":"bed4a7ece362ef59f2b621b3f64d06e899740c8ca8d73e437145d48b960187ce","import_time":"2026-06-09T20:45:58.462240903Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/menu-filter-widget-web/v/0.0.1"}],"affected":[{"package":{"name":"menu-filter-widget-web","ecosystem":"npm","purl":"pkg:npm/menu-filter-widget-web"},"versions":["0.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-A3OpHxFxG7JPJJ/wB/CaBv/1LoVgnA3xgTc/2kZpWn0LDUnzXoNFMhOAOOu2Bthirt+25sHLlXNC/4Hdn9ULVg==","sha1":"5431e829ec21c1ea16a115f6cddefdfc836428a0"},"filename":"menu-filter-widget-web-0.0.1.tgz"}],"evidence_files":[{"path":"callback.js","tlsh":"b601c2fe06c4c73c594035c1e156543ae1abf244718699f0b46f321243e657626734f9","sha256":"a1796ad3ed640844791551a0cfc9aabe691ec7ffe3431212c70e3c061254260b"},{"path":"package.json","tlsh":"06d0a7a01c0346773cd0ff970832429e5164cb085648451d09b16364845a9f8417126d","sha256":"6b1b2eae54c2490bbbc33f956fc742d1808e122ac61c1334efe968ad6ecedd34"}],"domains":["3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com","poc-widget-001.scan-dea4a1d74656.3y294ed4dfq501wnmdvbakcnwe25qvek.oastify.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/menu-filter-widget-web/MAL-2026-5486.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}