{"id":"MAL-2026-5739","summary":"Malicious code in sheratan_haha (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd)\nOn `npm install`, the package's declared postinstall hook (`node postinstall.js`) runs `whoami` on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (`https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7`) via `https.request`. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name `sheratan_haha`), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.\n","modified":"2026-06-13T07:31:42.294353229Z","published":"2026-06-13T07:19:44Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-13T07:25:42.937796909Z","source":"amazon-inspector","sha256":"5417b03a148421c99e85e5179f9911aadfe5ad30144fa4c3bf0eb1cbd8fc2160","id":"IN-MAL-2026-006360","versions":["1.0.1"],"modified_time":"2026-06-13T07:19:45Z"},{"import_time":"2026-06-13T07:25:42.98679707Z","source":"amazon-inspector","sha256":"6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd","id":"IN-MAL-2026-006361","modified_time":"2026-06-13T07:20:36Z","versions":["1.0.0"]},{"source":"amazon-inspector","import_time":"2026-06-13T07:25:42.82928409Z","sha256":"8425e7844278696c1b266519af201afa5e89ef4cf8fa0ad7da38a297fcdbbe2f","id":"IN-MAL-2026-006359","modified_time":"2026-06-13T07:19:44Z","versions":["1.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/sheratan_haha/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/sheratan_haha/v/1.0.1"}],"affected":[{"package":{"name":"sheratan_haha","ecosystem":"npm","purl":"pkg:npm/sheratan_haha"},"versions":["1.0.1","1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"sheratan_haha-1.0.0.tgz","hashes":{"sha1":"01a36a51354f57e9bd891f47bad06ffde816e5ec","sha512_sri":"sha512-T8/iNS940hcKVvgU+DXmJ+nItmoCSvd5XXQk78bIUNovie+PqY65leyB+UpFvpDF6+K13d32lG/85RSkT9960A=="}}],"domains":["webhook.site"],"ips":["178.63.67.153"],"evidence_files":[{"sha256":"3b000e0e744ef8a80f1d503b690be975df0e2e6b75f6951cec18d57862e425ce","path":"postinstall.js","tlsh":"a501bd824da235555bf1d6a0f1129608fb83c63ba431c7637bfe02692fe98a00011fdc"},{"sha256":"0d2fe6d8a937f7d5f6d8992fee001fb1082396e3162859a4d2e49c03e473adc0","path":"package.json","tlsh":"13e0c2158811a67313f467a9aa624517b9128f1e05388c0e71bb110c52936a344adf6a"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sheratan_haha/MAL-2026-5739.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}