{"id":"MAL-2026-5572","summary":"Malicious code in sendgrid-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63)\nPackage impersonates the official SendGrid npm packages (@sendgrid/*) but ships no SDK functionality — index.js exports an empty object. Its sole purpose is a postinstall recon beacon. On `npm install`, postinstall.js collects extensive installer-side identifiers — hostname, reverse-DNS FQDN, OS user, USERPROFILE, Active Directory domain (USERDNSDOMAIN, USERDOMAIN, LOGONSERVER), proxy/VPN/ZScaler environment signals, OneDrive corporate flag, install working directory, and CI repository identifiers (GitHub/GitLab/CircleCI/Travis/Bitbucket/Azure/Jenkins URLs and npm registry) — and transmits them via plain HTTP GET to http://46.224.67.169:3000/ping with each field as a query parameter (pkg, addomain, fullpath, etc.). The combination of name impersonation, empty SDK surface, and unsolicited fingerprinting of corporate AD/CI environments to a bare-IP HTTP endpoint is recon staging for follow-on supply-chain or phishing attacks. README framing this as a \"honeypot\" does not constitute installer consent — the package is published to the public npm registry where any developer mistyping the SendGrid name will trigger the beacon.\n","modified":"2026-06-11T08:01:32.631267517Z","published":"2026-06-11T05:10:36Z","database_specific":{"malicious-packages-origins":[{"sha256":"df3992f84ee5a81eb1ad508d9fd6e2a0a51f8552056effe7dece155e1fdfd619","versions":["0.2.4"],"id":"IN-MAL-2026-005551","source":"amazon-inspector","modified_time":"2026-06-11T05:10:36Z","import_time":"2026-06-11T05:41:06.184562851Z"},{"sha256":"740af421012a33d5773d502ef2ac51f5697d2ec0baa0598a08afa722dd14e209","versions":["0.1.1"],"id":"IN-MAL-2026-005619","source":"amazon-inspector","modified_time":"2026-06-11T06:18:53Z","import_time":"2026-06-11T07:49:33.3982726Z"},{"sha256":"76af40b4d1204d2e756b8c339048795de2e130301b007f4495e08853371fe2ed","versions":["0.2.1"],"id":"IN-MAL-2026-005621","source":"amazon-inspector","modified_time":"2026-06-11T06:18:56Z","import_time":"2026-06-11T07:49:33.600875714Z"},{"source":"amazon-inspector","versions":["0.1.0"],"id":"IN-MAL-2026-005620","sha256":"7f23e6fb704388bb60fbae0ed2d4ad51bc2cabe671da387eed6f450951c708b2","modified_time":"2026-06-11T06:18:55Z","import_time":"2026-06-11T07:49:33.483697699Z"},{"sha256":"a19a2f5792f568f4391d6ff89ab07575e238550f96b31c82afde532d4378cd94","versions":["0.2.0"],"id":"IN-MAL-2026-005624","source":"amazon-inspector","modified_time":"2026-06-11T06:18:58Z","import_time":"2026-06-11T07:49:33.927827959Z"},{"source":"amazon-inspector","versions":["0.2.2"],"id":"IN-MAL-2026-005622","sha256":"d1f3e67a6fb5063042d65f8123f4d2a8ae7ce481a022396e7285fe788342876d","modified_time":"2026-06-11T06:18:56Z","import_time":"2026-06-11T07:49:33.717452604Z"},{"sha256":"e4474baa48b79c2fdb036376386c7b83ebd7720c690e330e4e84f957d6364bee","versions":["0.1.3"],"id":"IN-MAL-2026-005626","source":"amazon-inspector","modified_time":"2026-06-11T06:19:09Z","import_time":"2026-06-11T07:49:34.119637969Z"},{"source":"amazon-inspector","versions":["0.2.3"],"id":"IN-MAL-2026-005623","sha256":"08f1d48bc557c6afa69c74455fe35f34ed0992082dc30fc09d032523d2329f63","modified_time":"2026-06-11T06:18:57Z","import_time":"2026-06-11T07:49:33.825923384Z"},{"sha256":"25333dd5bc97c012a677a97b234e7f79e57c49239aa138949a2b9085a3829553","versions":["0.1.2"],"id":"IN-MAL-2026-005625","source":"amazon-inspector","modified_time":"2026-06-11T06:19:06Z","import_time":"2026-06-11T07:49:34.026522344Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.2.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.2.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.2.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sendgrid-sdk/v/0.1.2"}],"affected":[{"package":{"name":"sendgrid-sdk","ecosystem":"npm","purl":"pkg:npm/sendgrid-sdk"},"versions":["0.2.4","0.1.1","0.2.1","0.1.0","0.2.0","0.2.2","0.1.3","0.2.3","0.1.2"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"c2a1ff364f5545691beb211d972f740ea6bef01308a6da403eaca1942ff13931378ef5","path":"postinstall.js","sha256":"a5c2f07299786513a13027cafbdb7c19966e5b87329925e0fc2097b1b03d7c2e"},{"tlsh":"cfe08c104b314e3378c8ab990d676909e9929c1785547c2d27af11988b9e37a98ff22e","path":"package.json","sha256":"d3fc9aa5b99c8d61188be3f463009642629b0f526321e53845b1f20f51d8473c"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-ZiZS2yFU7Qi1vzuvScReXbJQ8kju46FTi1ScJO5ejVAR2JJWssyoJ5ENFmq9TyXozhbvrryITVFFV9EgnBdXyw==","sha1":"18ce2b97551f9c32bf4bbd4d22ebcaf538d06260"},"filename":"sendgrid-sdk-0.2.4.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sendgrid-sdk/MAL-2026-5572.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}