{"id":"MAL-2026-5890","summary":"Malicious code in @dsft/ft-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a80ec07b8de5ed0e8cf43a8584075210d47e80e7bcc04368a5029f7637188db3)\nThe package is a dependency-confusion proof-of-concept squatting on the @dsft/ scope. Its package.json declares a preinstall hook that runs index.js, which reads the installer's INIT_CWD environment variable (the consumer's project directory), derives the project's basename, and POSTs it together with a package identifier and timestamp to a hardcoded third-party URL (https://deepbounty.dd06-dev.fr/cb/f9543624-20d8-465b-a026-d01872b93933). The package provides no library functionality matching its name; the install-time beacon is its sole behavior, and the package self-describes as a 'Security PoC for Bug Bounty.' Any `npm install` of this package automatically discloses the installing project's directory name and confirms the host's environment to the operator of the callback endpoint, without consent.\n","modified":"2026-06-16T16:16:49.412392596Z","published":"2026-06-16T15:27:24Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-16T15:27:24Z","versions":["1.5.8"],"id":"IN-MAL-2026-006756","sha256":"a80ec07b8de5ed0e8cf43a8584075210d47e80e7bcc04368a5029f7637188db3","source":"amazon-inspector","import_time":"2026-06-16T16:06:33.48763841Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@dsft/ft-utils/v/1.5.8"}],"affected":[{"package":{"name":"@dsft/ft-utils","ecosystem":"npm","purl":"pkg:npm/%40dsft%2Fft-utils"},"versions":["1.5.8"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"1dacb0a9e8320eee9fa33b01c270ba300c56d116f0eddea56047183610dae334","path":"index.js","tlsh":"5d21149056e3a62456ea5ac0996bec0e732ba2077e46e498b58c01891fc912ca572fc9"},{"sha256":"3f16ca5b1448d2d42a811a8d2d46cc6321b9436c3f85a02fde41dbaf81777373","path":"package.json","tlsh":"c8c0127c0d26b5232bc58eec193da484916d0228205adc4868c53014d0e67f5956f745"}],"package_integrity":[{"filename":"ft-utils-1.5.8.tgz","hashes":{"sha1":"5521024b1017059d1ca75a02a12d768b4e911cf3","sha512_sri":"sha512-jgPGlGULXUkWqWxa1xjP9tQM8xYCEC2WB84jprKk0A5skyDDJr6BFKWLYWmDCHlGRL3BWw5P86i44Fa7Eoxezg=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dsft/ft-utils/MAL-2026-5890.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}