{"id":"MAL-2026-5792","summary":"Malicious code in nativescript-swisspost-imagepicker (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62)\npackage.json declares `preinstall: node index.js`. On `npm install`, index.js reads `process.env.INIT_CWD` (the installing project's working directory), takes its basename, and POSTs a JSON payload `{pkg, timestamp, transport, project}` to the hardcoded URL `https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5`. The package name `nativescript-swisspost-imagepicker`, the package description (`Security PoC for Bug Bounty`), and the comment `Harmless dependency confusion PoC` in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of `deepbounty.dd06-dev.fr` a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.\n","modified":"2026-06-15T17:31:48.882242341Z","published":"2026-06-15T15:54:11Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-15T15:54:12Z","versions":["52.31.0"],"source":"amazon-inspector","sha256":"305d997233ef6f66cb10c6e104f04006090b7a7097f7a2ba3641b791434403ce","id":"IN-MAL-2026-006508","import_time":"2026-06-15T17:22:46.61529705Z"},{"modified_time":"2026-06-15T15:54:11Z","import_time":"2026-06-15T17:22:46.559428663Z","id":"IN-MAL-2026-006507","sha256":"b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62","versions":["52.31.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nativescript-swisspost-imagepicker/v/52.31.0"}],"affected":[{"package":{"name":"nativescript-swisspost-imagepicker","ecosystem":"npm","purl":"pkg:npm/nativescript-swisspost-imagepicker"},"versions":["52.31.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"domains":["deepbounty.dd06-dev.fr"],"package_integrity":[{"hashes":{"sha1":"0f76ef808e95ff333ca18d823b38e2ab000d6f3e","sha512_sri":"sha512-tp6G/iFQLnVf93PENfhbQCowuYhBripdP5GVfpYPqqSpMpK2V7V5UHqdGUUHPjNpNefdqmY7k5S7uiDjf//m8w=="},"filename":"nativescript-swisspost-imagepicker-52.31.0.tgz"}],"ips":["90.104.23.140","104.16.9.34","10.1.0.2"],"evidence_files":[{"tlsh":"292147d15ae2662412f555c19967ec0f7227e2077e41e498b98c01491fc912ca672bc9","path":"index.js","sha256":"b109c6cb6e8f0a8cf9b86917369549a3fee7688b1af414909b8667dedb0a3f07"},{"tlsh":"e1d0222c0e20b62333818edc1c3ea8c0923e03142019cc0828c42054d2eb3b48b7f286","path":"package.json","sha256":"5b66e2a180ac229303b95e50ba19b8b52d53adadd54d9c858ef80111c8ebfdc0"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-imagepicker/MAL-2026-5792.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}