{"id":"MAL-2026-5736","summary":"Malicious code in node-stack-frames (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158)\npackage.json declares a preinstall script that runs an inline Node program on `npm install`. The script requires `os` and `http`, collects `os.hostname()`, `os.platform()`, and `os.arch()`, base64-encodes the result, and issues an HTTP GET to `https://d8lslmi9io6i264ftj80mh9e7niqiaenf.oast.live/?data=\u003cencoded\u003e`. The host is a Project Discovery interactsh (OAST) subdomain used as an out-of-band collection endpoint. The package ships no functional code — its own description identifies it as a security holding placeholder — so the only effect of installing it is the automatic exfiltration of installer host identifiers to an attacker-controlled collector. This matches a dependency-confusion / recon beacon pattern.\n","modified":"2026-06-13T07:31:42.370949349Z","published":"2026-06-13T07:00:10Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006317","import_time":"2026-06-13T07:25:39.32409473Z","versions":["4.0.0"],"sha256":"5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158","source":"amazon-inspector","modified_time":"2026-06-13T07:00:10Z"},{"id":"IN-MAL-2026-006318","sha256":"eb14f033b6997244fdd890fbfacba9c82a164fd26a201cc39ee76408d70f208e","versions":["4.0.0"],"import_time":"2026-06-13T07:25:39.386624699Z","source":"amazon-inspector","modified_time":"2026-06-13T07:00:10Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-stack-frames/v/4.0.0"}],"affected":[{"package":{"name":"node-stack-frames","ecosystem":"npm","purl":"pkg:npm/node-stack-frames"},"versions":["4.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-stack-frames/MAL-2026-5736.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"92f0c6b04dd0de771ac648811ce14482f175f20f28457545dfc7005d079d87a95f76a5","path":"package.json","sha256":"c2eaf84a96b5d085868641e9926823208e8cb638fa21c7d27b19df9123b780a5"}],"package_integrity":[{"hashes":{"sha1":"9f2e1daa4df0f119b48e3a49985f33518f08046e","sha512_sri":"sha512-uuwE1BCNDtK0b1trymwgTuNdAUeJOAQISRRqeVv3r3iMTlYxpCwAIa5P8JIlBqRJjRvAf/3ouHY8F6yR+LDF1A=="},"filename":"node-stack-frames-4.0.0.tgz"}],"ips":["104.16.5.34","10.1.0.2","104.16.9.34"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}