{"id":"MAL-2026-5830","summary":"Malicious code in unico-check (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d)\npackage.json declares a preinstall lifecycle hook that runs `curl` against `https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f`, passing the installer's hostname, current user, working directory, full `uname -a` output, and `$HOME` as query parameters. The beacon fires automatically on `npm install` with no user interaction. The package ships no source files, declares no main entry, and uses the implausible version `9.9.9` — the canonical shape of a dependency-confusion / typosquat reconnaissance package targeting builds that may resolve a private `unico-check` from the public registry. The package's only effect on installation is to leak host identifiers to an anonymous, attacker-controlled webhook.site bin, staging follow-on compromise.\n\n## Source: ossf-package-analysis (61af12e58a8af18142c41410d07328ba0dbfb7e79b145d84b2389444c27b2abc)\nThe OpenSSF Package Analysis project identified 'unico-check' @ 9.9.9 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-16T06:01:49.615179998Z","published":"2026-06-15T11:26:18Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006698","import_time":"2026-06-15T20:14:29.063431799Z","versions":["9.9.9"],"sha256":"1945d7aee54e60800e30f150e6db8042fa3aee9ea99f6b5a4ab14e2a1c26571d","source":"amazon-inspector","modified_time":"2026-06-15T19:59:40Z"},{"modified_time":"2026-06-15T11:26:18Z","import_time":"2026-06-16T05:56:18.487539067Z","versions":["9.9.9"],"sha256":"61af12e58a8af18142c41410d07328ba0dbfb7e79b145d84b2389444c27b2abc","source":"ossf-package-analysis"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/unico-check/v/9.9.9"}],"affected":[{"package":{"name":"unico-check","ecosystem":"npm","purl":"pkg:npm/unico-check"},"versions":["9.9.9"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"013f522d7050d6ac7256e878e84e203afe73cfc9e8ab6332717e66382f05968c","tlsh":"bce0c0f39e14e22133d75892ad206485fba16e4e52343e18bac34541004c6ba440372c","path":"package.json"}],"package_integrity":[{"filename":"unico-check-9.9.9.tgz","hashes":{"sha1":"e78a853c7ef72164079336f3681395ec35c8a367","sha512_sri":"sha256-7GOZUC/PuPKB1WST4qGezTDAR5Ej2eJMavsma6W+x1M="}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/unico-check/MAL-2026-5830.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}