{"id":"MAL-2026-5533","summary":"Malicious code in @coze-common/chat-area (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04)\nThis package is a dependency-confusion/namespace-squat against ByteDance's @coze-common scope. The library is hollow — index.js is `module.exports = {}` and the description ('Browser accessibility and security utilities for React') does not match the package name. The harm runs at install time: package.json declares `postinstall: node postinstall.js`, and postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a recursive directory listing of the install working directory, base64-encodes the JSON payload, and POSTs it to https://wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun/ via https.request. A DNS covert channel (dns.lookup of a hex-encoded hostname+username subdomain under the same oast.fun host) is used as fallback to bypass HTTP egress filters. oast.fun is Interactsh out-of-band infrastructure used for reconnaissance against the installer's machine; the version 99.1.1 is the shadowing pattern used to win dependency-confusion resolution against the legitimate private @coze-common scope.\n","modified":"2026-06-11T00:16:29.446288351Z","published":"2026-06-10T23:33:27Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-10T23:33:27Z","id":"IN-MAL-2026-005312","versions":["99.1.1"],"source":"amazon-inspector","sha256":"89b49d08422192fa57b4739bf462f0e8b3c206b2c3cfad15578ac92dd6f47b04","import_time":"2026-06-11T00:00:57.489177544Z"},{"modified_time":"2026-06-10T23:33:27Z","versions":["99.1.1"],"source":"amazon-inspector","import_time":"2026-06-11T00:00:57.581431902Z","sha256":"cbfda63254e85169b3209df4260781e717ac5e9de9736408dfd4c3e9e258fd1e","id":"IN-MAL-2026-005313"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@coze-common/chat-area/v/99.1.1"}],"affected":[{"package":{"name":"@coze-common/chat-area","ecosystem":"npm","purl":"pkg:npm/%40coze-common%2Fchat-area"},"versions":["99.1.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"4fb8f8e6282686f52e6fcc7d485072f4b5614129","sha512_sri":"sha512-1JN5tTe5zpJsaMbV6IquC9mZEhQXVMg7AK7vXZbpILTxrGWR0uscdQwZnwiE1h47/3nQEVwcFbLE28pPy2m+mQ=="},"filename":"chat-area-99.1.1.tgz"}],"evidence_files":[{"path":"postinstall.js","sha256":"85d8ccbea0336fc399ba5cb07064cc559680704290051c5216bd9d64f3108563","tlsh":"4c3174e112f5e2205b7be0c4f97a9c569167e203710bede0f64c02651fc55b455b24f8"},{"path":"package.json","sha256":"1d1c15d1a3081ea30b6472d29ba97f394b24b0b286da0be4915784253cdb7fbd","tlsh":"7be0c2314a1497232dc892aa0827514b7a755e1b00587d3c2ba79194538f7ba44bf2ae"}],"domains":["7363616e2d6561386561316232653365332e7363616e.wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun","wybqtvzmfhssbvhokfgbvgaalpfg1vneq.oast.fun"]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@coze-common/chat-area/MAL-2026-5533.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}