{"id":"MAL-2026-5829","summary":"Malicious code in unico-android (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192)\nOn `npm install`, the package.json preinstall hook runs `curl` against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters carrying the installer's hostname, username (`$(whoami)`), current working directory (`$(pwd)`), kernel/OS string (`$(uname -a)`), and `$HOME`. The destination is a third-party request-capture service used as ad-hoc C2; the installer has not consented to this outbound transmission. The package otherwise ships no functional code despite advertising itself as the \"Unico Android SDK - biometric identity verification\" library, and is published at version 9.9.9 — a sentinel commonly used to outrank legitimate internal versions in dependency-confusion attacks against an organization's private registry. The combination of a hollow manifest impersonating an internal SDK name, a sentinel version, and an automatic install-time recon beacon is the canonical dependency-confusion / namespace-abuse attack shape.\n\n## Source: ossf-package-analysis (d6c5b81593e67b897531a12889d12e8a8763647a835852fa85e14be94958b6c7)\nThe OpenSSF Package Analysis project identified 'unico-android' @ 9.9.9 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-16T06:01:49.374465846Z","published":"2026-06-15T11:56:23Z","database_specific":{"malicious-packages-origins":[{"versions":["9.9.9"],"modified_time":"2026-06-15T19:59:36Z","sha256":"8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192","id":"IN-MAL-2026-006697","source":"amazon-inspector","import_time":"2026-06-15T20:14:28.955979375Z"},{"modified_time":"2026-06-15T11:56:23Z","sha256":"d6c5b81593e67b897531a12889d12e8a8763647a835852fa85e14be94958b6c7","versions":["9.9.9"],"source":"ossf-package-analysis","import_time":"2026-06-16T05:56:18.303697362Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/unico-android/v/9.9.9"}],"affected":[{"package":{"name":"unico-android","ecosystem":"npm","purl":"pkg:npm/unico-android"},"versions":["9.9.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-android/MAL-2026-5829.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"unico-android-9.9.9.tgz","hashes":{"sha1":"fdab46a17081bf13318b0fdf8d3ac28d41145778","sha512_sri":"sha256-zDQJgVuKgY9x4z2lYNO6qBGQTktMFjOPPiYWunbd7ds="}}],"evidence_files":[{"sha256":"41389b0423caa7497618dc5bf1e11fa229e16993e31ec095aaee3ceec7d14d8f","tlsh":"bce068e2df18e22133da5952be185084ff616e4f15303e18ba8346a0201c2b94483f2e","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}