{"id":"MAL-2026-5750","summary":"Malicious code in mailconfirmer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f)\nThe package advertises itself as an email confirmation/verification utility, but the shipped code contains no such functionality — index.js exports only a single getThemeColor function returning a color string. The real behavior is in install-hook.js, executed via the postinstall lifecycle script. It writes a.git/hooks/post-checkout hook into the installer's local repository whose contents are `powershell -NoP -NonI -W Hidden -Enc \u003cbase64\u003e`. The base64 blob decodes to UTF-16LE PowerShell that downloads https://github.com/Dimitrijenco/Sticky_note/releases/download/v2/launcher.bin, XOR-decrypts the response with key 0x42, writes the result to %TEMP%\\tmp.exe, executes it hidden via Start-Process -WindowStyle Hidden, sleeps, and deletes it. The dropper URL is hosted on an unrelated third-party GitHub account whose repository name (Sticky_note) is unrelated to the package's stated purpose. Two layers of obfuscation (base64-encoded UTF-16LE PowerShell + XOR-encrypted payload) are used to hide both the destination and the executed bytes. The persistence mechanism — a git post-checkout hook — re-triggers the download-and-execute path on every future `git checkout` in any repository where the package was installed, surviving package uninstall.\n","modified":"2026-06-13T21:46:45.607951836Z","published":"2026-06-13T21:10:40Z","database_specific":{"malicious-packages-origins":[{"versions":["3.2.36"],"id":"IN-MAL-2026-006411","sha256":"ab3cad84eca57c86cc11c7bdd3e072acac609d4f034da4f5c72b38461167ee78","modified_time":"2026-06-13T21:10:48Z","import_time":"2026-06-13T21:32:33.762548026Z","source":"amazon-inspector"},{"versions":["3.3.11"],"id":"IN-MAL-2026-006407","import_time":"2026-06-13T21:32:33.619539023Z","modified_time":"2026-06-13T21:10:42Z","sha256":"de9ef8c8cab85ca4e823488834021667649cf2de0712bf45f5e8018160b4263f","source":"amazon-inspector"},{"versions":["3.3.12"],"id":"IN-MAL-2026-006405","sha256":"e52f457c75436cfdff28cbf77522b7fd1e8c4470cee05d2058b6dbb3ad3c9adb","modified_time":"2026-06-13T21:10:40Z","import_time":"2026-06-13T21:32:33.548397829Z","source":"amazon-inspector"},{"versions":["3.2.34"],"id":"IN-MAL-2026-006410","import_time":"2026-06-13T21:32:33.730505728Z","modified_time":"2026-06-13T21:10:44Z","sha256":"eede6f1c9fae38c807231ada52a36f68c02665da89e136a5067c7b2fbd2e278d","source":"amazon-inspector"},{"modified_time":"2026-06-13T21:10:41Z","id":"IN-MAL-2026-006406","import_time":"2026-06-13T21:32:33.586759588Z","sha256":"fa2d157af30e6767ee02f791a0371ca0be7f3f9d4e8b3ebb949ef7f7c0b3a1aa","versions":["3.2.38"],"source":"amazon-inspector"},{"versions":["3.2.35"],"id":"IN-MAL-2026-006408","sha256":"fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f","modified_time":"2026-06-13T21:10:43Z","import_time":"2026-06-13T21:32:33.650159998Z","source":"amazon-inspector"},{"versions":["3.2.35"],"id":"IN-MAL-2026-006409","import_time":"2026-06-13T21:32:33.693842334Z","modified_time":"2026-06-13T21:10:43Z","sha256":"b407412bea355d5ff296e45c1b9fc4afdcd20624f98a8bf3f32cb37ef64b2f41","source":"amazon-inspector"},{"modified_time":"2026-06-13T21:10:40Z","id":"IN-MAL-2026-006404","import_time":"2026-06-13T21:32:33.500761473Z","sha256":"d66737fba6d2c0034f50352ebfa965356b9f75500f2adc19833be3628b7b9430","versions":["3.3.13"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.2.36"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.3.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.3.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.2.34"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.2.38"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.2.35"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/mailconfirmer/v/3.3.13"}],"affected":[{"package":{"name":"mailconfirmer","ecosystem":"npm","purl":"pkg:npm/mailconfirmer"},"versions":["3.2.36","3.3.11","3.3.12","3.2.34","3.2.38","3.2.35","3.3.13"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"ips":["151.101.192.223","140.82.112.3","185.199.108.133","185.199.109.133","151.101.64.223","151.101.0.223"],"package_integrity":[{"hashes":{"sha1":"c9bcac06168b4181c17df5768652489080c50da1","sha512_sri":"sha512-wWm4gSdpiiRlUkHTFAKPliQdEF/wrLYCqEYy/EfQsYBcW+Anck2DTxlHCyk5sL8lfarsXJlnbfpIuoSCMTnBmA=="},"filename":"mailconfirmer-3.2.36.tgz"}],"evidence_files":[{"tlsh":"8761e03d8a75fdd043aeb2d05d3a3f0b10985f13a7b9656ce5d205e82824a85ef3a19c","sha256":"eff924265960cb90e5cb7da874a3ebc2312f2b9acf0d628fd405f2e728efa01c","path":"install-hook.js"},{"sha256":"9047c1a0243416cff52f590db440dfaad432c5d85dcb54bb790164dd47b33daa","tlsh":"f9e02053cf48159339f64bf75c1b51467eb20b6f14105d06397350544750b726f2bf19","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mailconfirmer/MAL-2026-5750.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}