{"id":"MAL-2026-5537","summary":"Malicious code in @entos-ems/xerxes-client-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b)\nOn `npm install`, package.json's `preinstall: node index.js` hook fires automatically and runs a reconnaissance beacon. index.js collects host identifiers (os.hostname(), process.platform, arch, home directory, username/uid/gid/shell, OS info, cwd) and the output of shell commands `whoami` and `id` (executed via child_process.exec), then POSTs the JSON payload to a hardcoded Burp Collaborator (oastify.com) subdomain at https://98fmeiqizlsgqr14stq21w67ryxplf94.oastify.com/detox56. The package targets the @entos-ems scope and ships no functional client code, consistent with a dependency-confusion attack against an internal namespace.\n","modified":"2026-06-11T01:31:29.459934839Z","published":"2026-06-11T00:28:51Z","database_specific":{"malicious-packages-origins":[{"versions":["10.10.11"],"source":"amazon-inspector","modified_time":"2026-06-11T00:28:52Z","id":"IN-MAL-2026-005345","import_time":"2026-06-11T01:21:50.723954553Z","sha256":"25a156d732567a2f4eca4a4849010db272343081273510e91260e703580ac1c1"},{"versions":["10.10.11"],"source":"amazon-inspector","id":"IN-MAL-2026-005344","modified_time":"2026-06-11T00:28:51Z","import_time":"2026-06-11T01:21:50.674292003Z","sha256":"5632d30e60b3bb5fc5d731458a7c2972bd356c3ec1a9e8064df135359ee4ec7b"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@entos-ems/xerxes-client-js/v/10.10.11"}],"affected":[{"package":{"name":"@entos-ems/xerxes-client-js","ecosystem":"npm","purl":"pkg:npm/%40entos-ems%2Fxerxes-client-js"},"versions":["10.10.11"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@entos-ems/xerxes-client-js/MAL-2026-5537.json","indicators":{"domains":["98fmeiqizlsgqr14stq21w67ryxplf94.oastify.com"],"evidence_files":[{"path":"index.js","tlsh":"cb5141c515f65a241ba7b8494a4f9002a327e003350ade55bfcc8740af9937c9bf0bf6","sha256":"24edacb8a2bae24c796255f7d4047a1e3118052e31189251a97f0362e0c9bd0f"}],"package_integrity":[{"filename":"xerxes-client-js-10.10.11.tgz","hashes":{"sha1":"a5b45702b8eb03b258e1aa554c35c4f22792a8ae","sha512_sri":"sha512-niVy5zUg0qX4HNtGE+10u71SW4c0hv81qs/Cdrzl5gHbKIEo+vF7YIfpRnrfVic+MRnMWhkV+iNplcOBVJ1D4Q=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}