{"id":"MAL-2026-5889","summary":"Malicious code in @dsft/ft-element (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1)\nOn `npm install`, the package's preinstall hook (`preinstall: node index.js` in package.json) executes index.js, which reads `process.env.INIT_CWD`, derives the installing project's directory name via `path.basename()`, and POSTs a JSON beacon `{pkg, timestamp, transport, project}` to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/e51c2215-3fa8-48f1-ad64-1cf792e0cccc`. The package is published under the `@dsft` scope and self-describes as a dependency-confusion PoC (`description: Security PoC for Bug Bounty`; index.js comment: `Harmless dependency confusion PoC`). Any build pipeline that expects a private `@dsft/ft-element` package and resolves to this public version will silently leak the project's directory name — which typically equals the private package/repo name — to a third-party endpoint, confirming a successful dependency-confusion takeover target. Installers receive no disclosure or consent. Although the author frames this as harmless research, the mechanism (unconditional install-time beacon containing host-identifying context to an attacker-controlled URL) is a supply-chain attack against any installer the scope collision affects.\n","modified":"2026-06-16T16:16:49.196132503Z","published":"2026-06-16T15:27:18Z","database_specific":{"malicious-packages-origins":[{"sha256":"7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1","id":"IN-MAL-2026-006755","source":"amazon-inspector","import_time":"2026-06-16T16:06:33.396901985Z","versions":["2.5.9"],"modified_time":"2026-06-16T15:27:18Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@dsft/ft-element/v/2.5.9"}],"affected":[{"package":{"name":"@dsft/ft-element","ecosystem":"npm","purl":"pkg:npm/%40dsft%2Fft-element"},"versions":["2.5.9"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dsft/ft-element/MAL-2026-5889.json","indicators":{"evidence_files":[{"sha256":"7655a87a22c24a1fa1d5f96220098e71a101198b189b7b9e167d6d4af2ff6e4e","path":"index.js","tlsh":"5e2144a01be3a62012f959c0856bed0e732ba2077e42e498f98c01991fcd12c9172fc9"},{"sha256":"b7d6f4ab7a02c0fd2f5188e79d5957d59b5596bc91ec4de8a349108001826363","path":"package.json","tlsh":"99c0127c4d15b6237ad58edd0c7ea48891ae02142056cc4868c53064d0fa6b5956f745"}],"package_integrity":[{"hashes":{"sha1":"22f16cf2b1894ca5163ef4c876c5fd806f213a12","sha512_sri":"sha512-UU0s152Eiv5XhNP4u3hfwgu6YtWWbz6uhx+xsXFvQ5uXeYSi/Fzo5in2iRtwo6/rXN2YnquC1TfglWtVlmmrCQ=="},"filename":"ft-element-2.5.9.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}