{"id":"MAL-2026-5863","summary":"Malicious code in @ts-internal/shared-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171)\nThe package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install (preinstall and postinstall hooks invoke `node lifecycle.js`) and on module load (index.js calls `require('./beacon').beacon('require')`). beacon.js collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `os.platform()`, and the package name/version, hex-encodes the blob, and transmits it via DNS lookup and HTTPS GET to `d8oa6q03t3o2ksbjirogwxiwiyhp6e57o.oast.site` (an interactsh OAST collector) and `npm-dc-seek-1781572474.testingboxes.com`. Any build that misresolves this name to the public registry will silently leak identifying host metadata to two third-party endpoints. The README self-describes the package as a dependency-confusion proof-of-concept, but installers cannot consent and cannot verify researcher authorization; the squat-plus-beacon mechanism is the attack regardless of stated intent.\n","modified":"2026-06-16T06:01:49.871440326Z","published":"2026-06-16T04:24:55Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006747","source":"amazon-inspector","modified_time":"2026-06-16T04:24:55Z","import_time":"2026-06-16T05:56:20.517273705Z","versions":["9.9.9"],"sha256":"7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ts-internal/shared-lib/v/9.9.9"}],"affected":[{"package":{"name":"@ts-internal/shared-lib","ecosystem":"npm","purl":"pkg:npm/%40ts-internal%2Fshared-lib"},"versions":["9.9.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ts-internal/shared-lib/MAL-2026-5863.json","indicators":{"evidence_files":[{"tlsh":"9c5147bb21a5621f0351329e169f33a8a7b3e3e906c45fe4389c9314af74cbc02458f9","path":"beacon.js","sha256":"a812895da2340ecc7cb988fb7fb87e635aa264638af407101310b2907fffb128"},{"tlsh":"d211653780f1533e4f904623247a22b67722e4a2282f41c4b0a50b5b1567d58939f7f7","path":"README.md","sha256":"5763080940053b28d0ab6698ede42ca86d84899b8c62811ea03a084ae37349ec"},{"tlsh":"5901c222c020aea714d0aee8f47f101675e54f6715146e093aa7000c668feab10ff21f","path":"package.json","sha256":"747352bd356295d6ddd6e21bb9aed03a3ab7b76d3b2c5ac77e1edd61d61b17ba"}],"package_integrity":[{"hashes":{"sha1":"1519a342f59132afcf00e0bb30edef13cb1c8a2b","sha512_sri":"sha512-ncdjBFZdt3SWHfEhjpqhU1sxE+2ugfONGyA/GTRKSHl9CW4kpWCOVrHtZ2JDfkuCjf3MqTZyFzg5pgU0nQHxMA=="},"filename":"shared-lib-9.9.9.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}