{"id":"MAL-2026-5648","summary":"Malicious code in unified-ui-components-library (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8)\nOn `npm install`, the package's postinstall.js collects `os.hostname()` and `os.userInfo().username` and embeds them as query-string parameters in a plaintext HTTP GET to a hardcoded bare IP (http://161.97.149.48/skybackground.png?display=\u003chostname\u003e&profile=\u003cusername\u003e). The fetch is dressed up as an 'image download' but the identifying data is in the URL the server logs, giving the operator a per-install fingerprint of every machine that installs the package. The download path also follows 301/302 redirects to attacker-chosen Locations and writes the server's response body to./downloaded-image.jpg with no content-type validation, providing staging infrastructure alongside the beacon. Cover-story signals corroborate intent: package.json describes an 'image downloader CLI' with placeholder author 'Your Name', README.md advertises an unrelated 'Simple Text Utils' API (capitalize/reverse/wordCount) that the code does not implement, and index.js exports only `downloadImage`. The advertised purpose, README, and shipped code disagree — the consistent behavior across all three is the install-time phone-home.\n","modified":"2026-06-11T13:46:36.006020678Z","published":"2026-06-11T13:23:56Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T13:27:21.388259152Z","modified_time":"2026-06-11T13:23:58Z","source":"amazon-inspector","versions":["10.0.3"],"id":"IN-MAL-2026-005746","sha256":"5c2701b0b360af9ff8d06c12dcfaba8fbeff8840d1d7c56ce600a7ae8c5f1ffb"},{"import_time":"2026-06-11T13:27:21.417288346Z","versions":["10.0.2"],"source":"amazon-inspector","sha256":"78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8","id":"IN-MAL-2026-005747","modified_time":"2026-06-11T13:24:02Z"},{"import_time":"2026-06-11T13:27:21.301846096Z","versions":["10.0.1"],"source":"amazon-inspector","sha256":"baccf68297f0f532fddbf8186c16935ec20b3f30a749c5f0acdc5b0647567c76","id":"IN-MAL-2026-005745","modified_time":"2026-06-11T13:23:56Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/unified-ui-components-library/v/10.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/unified-ui-components-library/v/10.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/unified-ui-components-library/v/10.0.1"}],"affected":[{"package":{"name":"unified-ui-components-library","ecosystem":"npm","purl":"pkg:npm/unified-ui-components-library"},"versions":["10.0.3","10.0.2","10.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unified-ui-components-library/MAL-2026-5648.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-aoAmrS8+YCBekWnvxVBddHf1O5gnZat0nVvnib06P9kN3Rzv+cJkyYVorhRAFDyL/EuK3JyW/t6PfvajUsqeBw==","sha1":"6e133836325c29a1e602b5689462e58c1eb4bc11"},"filename":"unified-ui-components-library-10.0.3.tgz"}],"evidence_files":[{"sha256":"e2e4d144ce9269f1cbc6cc4d048d26acf573c258d4a656f61075635c9138e099","path":"postinstall.js","tlsh":"a251537519f351393237e0ad7f5b592ab2577403318dcb04358c71015fceaa486aa3bb"},{"sha256":"832350de287279bc69ad0e99185909518947f0f22a07f8526be86731552f4d22","tlsh":"71e0ab1d89206e1335c80a982d5b190af25509470148bd0837e7006c0bae23f207e25f","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}