{"id":"MAL-2026-5898","summary":"Malicious code in strict-engine-peer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de)\nOn `npm install`, the package's preinstall hook (`preinstall: node index.js` in package.json) executes index.js, which reads the installer's project directory via `process.env.INIT_CWD`, takes its basename as `safeProjectName`, and POSTs a JSON payload containing that name and a timestamp to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/d9b7e171-33a4-49c7-aa79-c95794030d3b`. The package self-describes as a 'Security PoC for Bug Bounty' / 'Harmless dependency confusion PoC', and the name `strict-engine-peer` is consistent with squatting an internal/private package name on the public npm registry. Any developer or build system that resolves this package — typically by accident, via dependency confusion against an internal package of the same name — silently discloses the existence and name of an internal project to the third-party endpoint. The 'research' framing does not change the installer-side impact: unconsented network beacon at install time, leaking organizational metadata to an attacker-controlled host.\n","modified":"2026-06-16T16:16:48.475372406Z","published":"2026-06-16T15:41:33Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006768","versions":["22.18.0"],"import_time":"2026-06-16T16:06:34.757029404Z","sha256":"0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de","source":"amazon-inspector","modified_time":"2026-06-16T15:41:38Z"},{"source":"amazon-inspector","versions":["1.0.0"],"modified_time":"2026-06-16T15:41:33Z","sha256":"ac925bb7b76abeaac88261c3f69c48a2940832889dd660b9cdd8af443b0c1183","import_time":"2026-06-16T16:06:34.628605777Z","id":"IN-MAL-2026-006767"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/strict-engine-peer/v/22.18.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/strict-engine-peer/v/1.0.0"}],"affected":[{"package":{"name":"strict-engine-peer","ecosystem":"npm","purl":"pkg:npm/strict-engine-peer"},"versions":["22.18.0","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strict-engine-peer/MAL-2026-5898.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-k2hhqaicRXlxMirbv+UxhXh19Ug1dbhx+ERO/PjROsA7GVJhUQulrcE6dcTLw0HqXq88bNH68tRcteXK+Lc03g==","sha1":"0a5c0df2e5d1a0007a1d480cd2a0598b8488a59f"},"filename":"strict-engine-peer-22.18.0.tgz"}],"evidence_files":[{"sha256":"0ed234f98dae25f55503630021f8ed05abcb5ac25e56144963d69b5420fc811f","path":"index.js","tlsh":"d52142d516c2a17067f18fd0c4266d0af32bf2177b43c199bdac41892fb11286262dde"},{"sha256":"f43927d8fd4a65e30b3d044b3f74e5b0dc3a3b6ca41c11e9a2b10c1d374f0616","tlsh":"7fd0223f9cd0b02321c4cfc0283650a01031032c212acc54b8cc3c21d0e27b2aa2f705","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}