{"id":"MAL-2026-5540","summary":"Malicious code in @monitoring-lib/error-tracking (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d)\nOn `npm install`, the `preinstall` lifecycle hook in package.json runs a Node one-liner that reads the installer's hostname (`os.hostname()`) and username (`os.userInfo().username`) and transmits them to an attacker-controlled Interactsh/OAST callback domain via two channels: an HTTPS GET request to `https://d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site/?h=\u003chostname\u003e&u=\u003cusername\u003e` and a DNS lookup of `monitoring-lib.\u003chostname\u003e.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site`. The package name uses a generic scope (`@monitoring-lib`) that does not correspond to a known publisher, and the version number `9999.0.0` is the canonical shape of a dependency-confusion attack — a public registry upload designed to override an organization's internal package of the same name. Combined, the package is a supply-chain recon beacon: any installer that resolves to this version leaks its host identity to the attacker, identifying victims whose private-registry configurations failed.\n\n## Source: ossf-package-analysis (160b44403dfdcc6f9b6a3390ac9d1a2a55ed88c8a3cfd660850d573a89682453)\nThe OpenSSF Package Analysis project identified '@monitoring-lib/error-tracking' @ 9999.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-11T02:31:32.189436159Z","published":"2026-06-11T01:22:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005362","source":"amazon-inspector","sha256":"491603ad44ed812c3d248696b00f7d4801a4c1dc23e4f23a3bb86f2ef499616d","modified_time":"2026-06-11T01:48:11Z","versions":["9999.0.0"],"import_time":"2026-06-11T02:24:27.854737577Z"},{"id":"IN-MAL-2026-005363","source":"amazon-inspector","modified_time":"2026-06-11T01:48:12Z","versions":["9999.0.0"],"sha256":"8100d54eed6cb854340b403b4d22c6b2c4a6abc7780fc1a94c00e1d4a5404625","import_time":"2026-06-11T02:24:27.905843345Z"},{"sha256":"160b44403dfdcc6f9b6a3390ac9d1a2a55ed88c8a3cfd660850d573a89682453","source":"ossf-package-analysis","modified_time":"2026-06-11T01:22:04Z","versions":["9999.0.0"],"import_time":"2026-06-11T02:24:24.741689959Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@monitoring-lib/error-tracking/v/9999.0.0"}],"affected":[{"package":{"name":"@monitoring-lib/error-tracking","ecosystem":"npm","purl":"pkg:npm/%40monitoring-lib%2Ferror-tracking"},"versions":["9999.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@monitoring-lib/error-tracking/MAL-2026-5540.json","indicators":{"package_integrity":[{"filename":"error-tracking-9999.0.0.tgz","hashes":{"sha1":"f677dc4bbe961186740398b74581a1043f25f1c3","sha512_sri":"sha512-WShghcdrbPfixkkWgI7ieefxTRESW8w8f/saqVXwrevCrH5ZRnf4kU+Hr+cvhx6i2miMraPU5lpiNaJML+WxLw=="}}],"evidence_files":[{"sha256":"ef769e339f69d0587da8b112dbf3b827aaaca128564f808bed29ade70e9bcf43","path":"package.json","tlsh":"5df0c0b4858090235fe8208807aa610da2c68f0ab16e0c13dde255e743c45f67f76131"}],"domains":["d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site","monitoring-lib.scan-99456db80cc7.d8ks495t5p5ut2enft8041g7fusnfsy5e.oast.site"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}