{"id":"MAL-2026-5832","summary":"Malicious code in vend-utilities (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1)\npackage.json declares `preinstall: node index.js`, causing index.js to run automatically on `npm install`. The script collects installer host identity (os.hostname(), os.userInfo() including uid/gid/shell/homedir, process.cwd(), process.platform/arch, OS release, memory, cpus) and executes `whoami` and `id` via child_process to capture their output, then POSTs the combined JSON payload to a hardcoded Burp Collaborator subdomain at https://6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com/detox56 (index.js:7,:83). The package has empty author/description metadata and a dependency-confusion-style name. An undeclared 10.8 KB sibling file `i` ships in the tarball but is not reached by the preinstall path. Installing this package leaks installer host identity and shell-recon output to an attacker-controlled endpoint.\n","modified":"2026-06-15T20:31:52.774450983Z","published":"2026-06-15T19:24:31Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-15T20:14:25.790885098Z","id":"IN-MAL-2026-006671","modified_time":"2026-06-15T19:24:32Z","sha256":"7e920e81a12f006bdeabc6fcfe8f9ddf6620e280edeb68435d4b1f6aaf4752a4","versions":["14.12.11"],"source":"amazon-inspector"},{"import_time":"2026-06-15T20:14:25.689309347Z","modified_time":"2026-06-15T19:24:31Z","id":"IN-MAL-2026-006670","sha256":"89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1","versions":["14.12.11"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vend-utilities/v/14.12.11"}],"affected":[{"package":{"name":"vend-utilities","ecosystem":"npm","purl":"pkg:npm/vend-utilities"},"versions":["14.12.11"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vend-utilities/MAL-2026-5832.json","indicators":{"package_integrity":[{"filename":"vend-utilities-14.12.11.tgz","hashes":{"sha512_sri":"sha512-g4nBNfMk38t2X6YOUELSEmM4UbHcAvXcPHpfFvJU+0P952wZPFB/aRfCXptW5ivKaZ5LR6ZR+swMtTpOv0FEBQ==","sha1":"6291107c94b556b2871b3b94f04feb0caaf168bd"}}],"ips":["54.77.139.23","3.248.33.252"],"domains":["6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com"],"evidence_files":[{"path":"index.js","sha256":"c47fd0cd5a3d76aa07876935f1337076e75bfb75876e9dc5bef123a1ec50d883","tlsh":"7d5152c515f699241b67b8494a4f9402a327e0033509ee55bfcc8340af8837c97f0bf6"},{"path":"i","sha256":"5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a","tlsh":"d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}