{"id":"MAL-2026-5582","summary":"Malicious code in wp-env (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759)\nPackage squats the `wp-env` CLI name commonly invoked as `npx wp-env` by users intending @wordpress/env. The package ships only `bin/run.js` (declared `main: index.js` is absent from the tarball), so its sole execution surface is the bin script that fires when a developer runs `npx wp-env`. On execution, bin/run.js reads `process.env.INIT_CWD`, derives the basename of the installer's project directory, and POSTs it together with timestamp and package metadata to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc43de99-70fc-4782-8668-bec6eee1975b`. The package self-describes as a 'Security PoC for Bug Bounty' — name-confusion attack against @wordpress/env combined with concrete installer-side data exfiltration (the project directory basename, sent to an attacker-controlled host that uses a per-target callback path to identify successfully-confused victims). This satisfies both the typosquat shape (≤2 char edit / namespace confusion vs. @wordpress/env's `wp-env` CLI) and a concrete exfil payload to an attacker-controlled destination.\n","modified":"2026-06-11T05:46:32.889405977Z","published":"2026-06-11T05:05:53Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T05:41:05.230251237Z","id":"IN-MAL-2026-005542","versions":["1.0.0"],"modified_time":"2026-06-11T05:05:53Z","sha256":"ec2e092036cea9a9b2563e18b3d588ab046800c2160fb820081423b909066759","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/wp-env/v/1.0.0"}],"affected":[{"package":{"name":"wp-env","ecosystem":"npm","purl":"pkg:npm/wp-env"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"5ea8406ede323122bb335e70b0e65aebff785200d764f45960e247bf8b051dd3","path":"bin/run.js","tlsh":"0d2154906ae2573462ea1ad0995b9c0b7237b20b7e41f0a8b59c01882fc813c9573fce"},{"tlsh":"b7c0801c445ea403f645cffc5c7f5180513d073c3015c84808443058c0e67b57539344","path":"package.json","sha256":"a91c9861cdc3e93356e2895dd07f41df2b4f538003b7958ad1c85a555dac2626"}],"package_integrity":[{"hashes":{"sha1":"fe1ea4418d6e656c58ec4cc1ae812085fccfaaa9","sha512_sri":"sha512-pMysMCSVw6rnhECmKuJkTAUtl2vixnBAf0Ciz0OR9AFmYuBazKtZS5yLLuIjyEt4qI/H+lGzM7E7P500VfbBrQ=="},"filename":"wp-env-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wp-env/MAL-2026-5582.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}