{"id":"MAL-2026-5490","summary":"Malicious code in sb-original (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83)\nsb-original@9999.99.99 is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same name. index.js transparently re-exports the real `sb-original` module so consumers see normal functionality, while a postinstall script silently fingerprints the installing environment. On `npm install`, postinstall.js POSTs JSON containing the consuming package name/version, Node version, OS, detected CI provider, and GitHub repository/owner/workflow identifiers to https://ddactic-lab.online/sc/beacon (postinstall.js:32). It also performs a DNS-based fallback that encodes the same fields as a subdomain of b.ddactic-lab.online (postinstall.js:46 `dns.lookup(`${sl}.${ci}.${h}.b.ddactic-lab.online`,...)`), which is designed to bypass HTTP egress controls. The combination of an extreme version floor, a transparent proxy main, and unconditional install-time exfiltration of GitHub repo identifiers to an attacker-controlled domain is the canonical dependency-confusion attack shape.\n","modified":"2026-06-09T23:46:26.926343791Z","published":"2026-06-09T22:57:12Z","database_specific":{"malicious-packages-origins":[{"versions":["9999.99.99"],"source":"amazon-inspector","modified_time":"2026-06-09T22:57:13Z","import_time":"2026-06-09T23:32:25.540277583Z","id":"IN-MAL-2026-005257","sha256":"5419fc906c3b5ca1817006530c8ec07e70675fa10fd9c2be97bda76fb56d7d8d"},{"versions":["9999.99.99"],"source":"amazon-inspector","sha256":"c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83","modified_time":"2026-06-09T22:57:12Z","id":"IN-MAL-2026-005256","import_time":"2026-06-09T23:32:25.504454545Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/sb-original/v/9999.99.99"}],"affected":[{"package":{"name":"sb-original","ecosystem":"npm","purl":"pkg:npm/sb-original"},"versions":["9999.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sb-original/MAL-2026-5490.json","indicators":{"evidence_files":[{"tlsh":"e241a755829891340fe122c9b852c8165d7bd49633e799f0774d15226fc92bc03b2fdf","path":"postinstall.js","sha256":"e5c7efaa25bd6fc20c40fe6e39a40957043022e78b5ec6d9ad2b9e49a3ef75c8"},{"tlsh":"5ee02b654e35c7b31dc83b95992a158677321c47c484fc8923d70128839e06711bf21d","path":"package.json","sha256":"909c530937f12ec928c28dc6fff529c3e46531e7f5ce0bf5547de695d4023d08"}],"package_integrity":[{"filename":"sb-original-9999.99.99.tgz","hashes":{"sha1":"6123884ec06181739caa7222e6010cd8efb9a51b","sha512_sri":"sha512-RtCXUaC/nFpydImoTi4qbJpligM1lpYrPCJHpWg1QjeFXkG4hq0s52QR48of+cDscXpBupTGBL7ZHmf77GRtow=="}}],"domains":["ddactic-lab.online","sb-original.none.81fac073.b.ddactic-lab.online","sb-original.none.81fac073.b.ddactic-lab.online.ec2.internal"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}