{"id":"MAL-2026-5745","summary":"Malicious code in oa-crm-webapi (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1)\noa-crm-webapi@9.9.99 is a dependency-confusion payload squatting an internal-sounding package name. package.json declares a postinstall hook (`node beacon.js`) which fires automatically on `npm install`. beacon.js reads `os.hostname()` and transmits it to the attacker-controlled Burp Collaborator host `yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com` via two channels: a DNS lookup of `\u003cnonce\u003e.\u003chostname\u003e.\u003ccollaborator-host\u003e` (out-of-band DNS exfil) and an HTTPS POST to the same host with the hostname in the body. The 9.9.99 version + generic 'internal placeholder' description is the canonical shape used to hijack private package names by overriding the legitimate internal registry resolution. A successful install both proves code execution on the installer and leaks the internal hostname to an external attacker.\n","modified":"2026-06-13T20:46:41.201051489Z","published":"2026-06-13T20:11:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006371","modified_time":"2026-06-13T20:11:58Z","import_time":"2026-06-13T20:33:18.623864738Z","sha256":"00cdaf89f7ae5fd12400ea55acd4849e8e5095dfc51188d3339ecdfa5dc0f2a1","source":"amazon-inspector","versions":["9.9.99"]},{"id":"IN-MAL-2026-006372","modified_time":"2026-06-13T20:11:59Z","import_time":"2026-06-13T20:33:18.697504403Z","sha256":"b79727b87504bf711bab8101367dab95ab032fbad7b30737cef3852f4317e36c","source":"amazon-inspector","versions":["9.9.99"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/oa-crm-webapi/v/9.9.99"}],"affected":[{"package":{"name":"oa-crm-webapi","ecosystem":"npm","purl":"pkg:npm/oa-crm-webapi"},"versions":["9.9.99"],"database_specific":{"indicators":{"domains":["1599f37b.scan-c13bd1511a00.yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com","yfhjhookbia8zov0q5hh772xroxfl69v.oastify.com"],"package_integrity":[{"filename":"oa-crm-webapi-9.9.99.tgz","hashes":{"sha512_sri":"sha512-aT766b83Eym4j2tN/nvPusor2nhhoL/tKvI36NT6S3L4fFCH+FjjzMr39pciYXRHGl3MvIHtUiZhdSb9ile5Hg==","sha1":"f9cc22e6aaa2c4ae6c713a933fb5a150de87bbc1"}}],"evidence_files":[{"path":"beacon.js","sha256":"6ce93adae86d974552f118d547288143808391bac5bfb5c47474ad01dee81e33","tlsh":"fb21c8ff50a8a2823fa775c5d26f23661113d1728281cfe0f4afd2655f9863942628fc"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oa-crm-webapi/MAL-2026-5745.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}