{"id":"MAL-2026-5622","summary":"Malicious code in @whatnot-web/www-legacy (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709)\n@whatnot-web/www-legacy@99.1.1 is a dependency-confusion shell targeting the Whatnot org scope. The package ships an empty library (index.js exports `{}`), a generic description, blank author, and an inflated version (99.1.1) — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name. On `npm install`, postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a 2-level directory listing of the working directory, base64-encodes the JSON payload, and POSTs it via HTTPS to the hardcoded interactsh collector wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun. A hex-encoded DNS-lookup fallback to the same host is included to defeat HTTPS egress filtering. The collected information identifies internal build hosts and source-tree layouts and is suitable for staging follow-on attacks against the targeted organization.\n\n## Source: ossf-package-analysis (e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24)\nThe OpenSSF Package Analysis project identified '@whatnot-web/www-legacy' @ 99.1.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-11T13:46:36.904639519Z","published":"2026-06-11T09:26:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T09:36:26.034126411Z","modified_time":"2026-06-11T09:26:29Z","source":"ossf-package-analysis","sha256":"e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24","versions":["99.1.2"]},{"import_time":"2026-06-11T13:27:20.688400301Z","id":"IN-MAL-2026-005732","sha256":"21bb55bdbd36c38a976cea5f94cc8f67989823a769b8915fbe4d424e1ca3b9ae","source":"amazon-inspector","modified_time":"2026-06-11T13:05:30Z","versions":["99.1.1"]},{"import_time":"2026-06-11T13:27:20.607227625Z","id":"IN-MAL-2026-005731","sha256":"3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709","source":"amazon-inspector","modified_time":"2026-06-11T13:05:29Z","versions":["99.1.1"]},{"import_time":"2026-06-11T13:27:20.823247294Z","id":"IN-MAL-2026-005734","modified_time":"2026-06-11T13:05:39Z","source":"amazon-inspector","sha256":"488b42325004726d9ffc2fd1dda185146a8cc73a8e90052b881cdbee2545e30a","versions":["99.1.2"]},{"import_time":"2026-06-11T13:27:20.765731134Z","id":"IN-MAL-2026-005733","modified_time":"2026-06-11T13:05:38Z","source":"amazon-inspector","sha256":"a85d19d24a55723e8078d46f2cbfb3c49e1e3ef6f4f66f41f86da599d707a4e6","versions":["99.1.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@whatnot-web/www-legacy/v/99.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@whatnot-web/www-legacy/v/99.1.2"}],"affected":[{"package":{"name":"@whatnot-web/www-legacy","ecosystem":"npm","purl":"pkg:npm/%40whatnot-web%2Fwww-legacy"},"versions":["99.1.2","99.1.1"],"database_specific":{"indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"26a21da51540ea595013edc6a2263316ddac6721501329e2b7b9a0449b7fd7de","tlsh":"8a3162e112f4e2205b7be0c4f97a9c569163e203710bede0f64d02651fc55b455b24f8"},{"path":"package.json","sha256":"082fcfbbc170e884f0721c862ccc180f2c280b9b3a3485f958db7d21989509e4","tlsh":"09e0c2354a1593236dd492ab1827514b7a754e070059693c2b974194838e2bb85fe3ad"}],"domains":["7363616e2d3962306432366661663235392e7363616e.wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun","wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun"],"package_integrity":[{"filename":"www-legacy-99.1.1.tgz","hashes":{"sha512_sri":"sha512-UdyI+xKpmGcW/Xe26/4ScPU2vOvPNHbaDhCe07g3DphwYX16EbgdZ7SbZpf4SaFUISGRGj2tR+X/AYp0WHxK+Q==","sha1":"4148ed9b0761e0ec3730e411c6f92581256242a3"}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@whatnot-web/www-legacy/MAL-2026-5622.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}