{"id":"MAL-2026-5793","summary":"Malicious code in nativescript-swisspost-pcc-creative-editor (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049)\nPackage masquerades as an internal Swiss Post NativeScript package (name `nativescript-swisspost-pcc-creative-editor`, description literally `Security PoC for Bug Bounty`). package.json declares `preinstall: node index.js`. On `npm install`, index.js reads `process.env.INIT_CWD`, takes its basename as the installer's project directory name, and POSTs it together with a timestamp to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc8ee9ff-1372-47c3-b2b6-ce0564ce1f90`. Effect on the installer: arbitrary Node code executes at install time and the installer's project name is leaked to a third-party host without consent. Although the author labels it a bug-bounty proof of concept, the package is structurally a dependency-confusion attack — any developer or build system that pulls it expecting the legitimate internal Swiss Post package suffers code execution and information disclosure.\n","modified":"2026-06-15T17:31:48.912887021Z","published":"2026-06-15T15:54:05Z","database_specific":{"malicious-packages-origins":[{"versions":["54.16.3"],"sha256":"a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049","import_time":"2026-06-15T17:22:46.367601595Z","id":"IN-MAL-2026-006505","source":"amazon-inspector","modified_time":"2026-06-15T15:54:05Z"},{"sha256":"c8eca023031e2488506fef1a8b6917bc8a860495d86b3e644595da683f9f77f7","import_time":"2026-06-15T17:22:46.421029997Z","versions":["54.16.3"],"id":"IN-MAL-2026-006506","source":"amazon-inspector","modified_time":"2026-06-15T15:54:06Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nativescript-swisspost-pcc-creative-editor/v/54.16.3"}],"affected":[{"package":{"name":"nativescript-swisspost-pcc-creative-editor","ecosystem":"npm","purl":"pkg:npm/nativescript-swisspost-pcc-creative-editor"},"versions":["54.16.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nativescript-swisspost-pcc-creative-editor/MAL-2026-5793.json","indicators":{"ips":["10.1.0.2","90.104.23.140","104.16.5.34"],"evidence_files":[{"sha256":"53f5a9b421295e5579d6e3bd0d511b19a9b0e878e74eee3d4c6281e2157a057c","tlsh":"0021479157e2963012e659d1c96bdd0f731ba2077e01e498f9cc01591fcd12c9672fdd","path":"index.js"},{"sha256":"4279d77237f7666948eda89da2726d3ce2f71e9ee909bb0867b909d311febf08","tlsh":"78d0a72e4d10b95322808edd483d50c4926d03142415c80858c42064d0d67b9872e156","path":"package.json"}],"domains":["deepbounty.dd06-dev.fr"],"package_integrity":[{"filename":"nativescript-swisspost-pcc-creative-editor-54.16.3.tgz","hashes":{"sha1":"8d511a82aca00f8d13e56c46557aaa9512853578","sha512_sri":"sha512-BCgo5lTPX6Lho5yJbOpUV7YaWg1UD7Atw5IZ7kdQ0yFOOzS2hc+H41Va9QbFqzi631YhVJFGID32FPdzn9YWuQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}