{"id":"MAL-2026-5780","summary":"Malicious code in ing-feat-itsme-oidc-authentication (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5)\nOn npm install, package.json's preinstall hook executes poc.js, which collects os.hostname(), os.userInfo().username, process.cwd(), and process.platform, base64-encodes the values, and issues an HTTPS GET to https://d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live/cb?id=\u003ctoken\u003e&d=\u003cb64\u003e — sending installer host, user, working directory, and platform to an external Burp Collaborator / interactsh subdomain without consent. The package is named to mimic an internal ING Bank namespace and pinned to version 99.99.99 to win resolution in dependency-confusion scenarios. Any developer or CI environment that resolves this name leaks identifying host data to an attacker-controlled collaborator endpoint. This matches the textbook dependency-confusion exfiltration pattern regardless of any authorization claim made by the author.\n","modified":"2026-06-15T15:46:47.530478843Z","published":"2026-06-15T15:10:24Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-15T15:10:24Z","id":"IN-MAL-2026-006490","sha256":"175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5","versions":["99.99.99"],"source":"amazon-inspector","import_time":"2026-06-15T15:30:22.483059557Z"},{"modified_time":"2026-06-15T15:10:25Z","id":"IN-MAL-2026-006491","sha256":"1a856d57687500c13a5582ce21b881745336d65d4aa952ca939a301876d65b23","versions":["99.99.99"],"source":"amazon-inspector","import_time":"2026-06-15T15:30:22.610684557Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ing-feat-itsme-oidc-authentication/v/99.99.99"}],"affected":[{"package":{"name":"ing-feat-itsme-oidc-authentication","ecosystem":"npm","purl":"pkg:npm/ing-feat-itsme-oidc-authentication"},"versions":["99.99.99"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-GK831PdK9oM2PCopvWeZoCmXGMkr4naQvGR2qoXXke4no1dQ3z/JZYmFg6QSyakRlO4OzcerIcc+d86DEQTQ0A==","sha1":"b2888ae0eff2ec66c9429a66ba05030d16609ec3"},"filename":"ing-feat-itsme-oidc-authentication-99.99.99.tgz"}],"domains":["d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live"],"ips":["178.128.210.172"],"evidence_files":[{"sha256":"026c9331347569ea2c351a3cc07472b65150cca25cd0aefc32d4680563b7092c","tlsh":"da0165b243f9d618155164c33743de7a500195042c93a0d4fa3d0200dfe27388373bf8","path":"poc.js"},{"sha256":"7d6a50657acc399c345f0f29ab3312db361a7b0df8cc390f71f4679849006164","tlsh":"4fd0a7296d41e57728d10fe2496aa16631b08d6e5e5670485783902d54cabf393bb30f","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ing-feat-itsme-oidc-authentication/MAL-2026-5780.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}