{"id":"MAL-2026-5747","summary":"Malicious code in @giftyhq/widget-components (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62)\npackage.json declares `\"preinstall\": \"node index.js\"`, which fires automatically on `npm install`. index.js collects host fingerprinting data — `os.hostname()`, `os.userInfo()`, `process.platform`, uid/gid, shell, cwd, and the output of `child_process.exec('whoami')` and `exec('id')` — and POSTs the result as JSON to the hardcoded URL `https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56`. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.\n","modified":"2026-06-13T21:46:45.606337828Z","published":"2026-06-13T21:04:52Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-13T21:32:33.126156917Z","source":"amazon-inspector","versions":["19.12.11"],"sha256":"8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62","modified_time":"2026-06-13T21:04:52Z","id":"IN-MAL-2026-006397"},{"import_time":"2026-06-13T21:32:33.237021786Z","source":"amazon-inspector","versions":["19.12.11"],"sha256":"cbc5281f5eee9d9c1c78060b669e0228c72578f384f969d7773dc144a1e10157","modified_time":"2026-06-13T21:04:52Z","id":"IN-MAL-2026-006398"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@giftyhq/widget-components/v/19.12.11"}],"affected":[{"package":{"name":"@giftyhq/widget-components","ecosystem":"npm","purl":"pkg:npm/%40giftyhq%2Fwidget-components"},"versions":["19.12.11"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@giftyhq/widget-components/MAL-2026-5747.json","indicators":{"ips":["54.77.139.23","3.248.33.252"],"evidence_files":[{"tlsh":"0e5140c515f65a241ba7b8494a4f9402a327e0033609ee55bfcc8740af9937c9bf0bf2","sha256":"97144b8512332b532b56c06bde3b346c438a099353c39c1a085016bfb258b27a","path":"index.js"},{"tlsh":"99d05e304e21653369c502a2082aa45762b18e6f5405bc0867dba82d82ce67798fb35d","sha256":"aa802b3eb93569b0776a4c4744057fe2e8f7fa6cc27aac3046467965b25acf04","path":"package.json"}],"domains":["zad79wtflht20n15czfieir3quwlkb80.oastify.com"],"package_integrity":[{"filename":"widget-components-19.12.11.tgz","hashes":{"sha512_sri":"sha512-KlZK3xviyngCfPKiDOZ/Wa/5wc2j6Dl+QyXHjdSkLBum1uhh34ffs5ZLFcF6NDp4Fyu+I+ntayk1asTrsiRZmQ==","sha1":"a313c3e424481b1d9147fbe8c1f7f706ade082dc"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}