{"id":"MAL-2026-5929","summary":"Malicious code in backoffice-charges-module (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (047eb92a0e8bb401b2c205765616c9b4b715ee7cfd33d2e6ef9dc8d645b77f04)\nOn every `npm install`, the `preinstall` lifecycle script (`node index.js \u003e /dev/null 2\u003e&1`) silently HTTPS-POSTs a JSON payload to `https://avamnrwqo7.rbmock.dev/` containing the package name, a generated execution_id, `process.version`, `process.platform`, `process.arch`, and an ISO timestamp. Output is redirected to /dev/null to hide the network call from the installer. The package has empty description, author 'poc', declares a `main.js` that is not shipped, and uses an artificially high version number (1.999.0) — classic dependency-confusion/typosquat reconnaissance signals. The beacon allows whoever controls `avamnrwqo7.rbmock.dev` to enumerate which internal CI runners and developer hosts have resolved this name from the public registry instead of an internal one, identifying targets for follow-up payloads.\n","modified":"2026-06-16T23:16:57.368765760Z","published":"2026-06-16T22:30:57Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006853","versions":["1.999.0"],"source":"amazon-inspector","sha256":"047eb92a0e8bb401b2c205765616c9b4b715ee7cfd33d2e6ef9dc8d645b77f04","import_time":"2026-06-16T23:03:43.96905195Z","modified_time":"2026-06-16T22:30:57Z"},{"import_time":"2026-06-16T23:03:44.118662979Z","id":"IN-MAL-2026-006855","source":"amazon-inspector","sha256":"291d2f99e4ff8c22838130d0ac21fb5e6343e42af5d47180c9ce74aa28a937d7","versions":["2.999.1"],"modified_time":"2026-06-16T22:30:59Z"},{"id":"IN-MAL-2026-006854","versions":["2.999.0"],"source":"amazon-inspector","sha256":"94194d04dd4e91ba9949949bf3054514b786ebb4ffcd3a249d7a4c3a99567139","import_time":"2026-06-16T23:03:44.050301185Z","modified_time":"2026-06-16T22:30:58Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/backoffice-charges-module/v/1.999.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/backoffice-charges-module/v/2.999.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/backoffice-charges-module/v/2.999.0"}],"affected":[{"package":{"name":"backoffice-charges-module","ecosystem":"npm","purl":"pkg:npm/backoffice-charges-module"},"versions":["1.999.0","2.999.1","2.999.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/backoffice-charges-module/MAL-2026-5929.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"backoffice-charges-module-1.999.0.tgz","hashes":{"sha512_sri":"sha512-PyYansBwQdLeLTIIiXGwfB/bUHyHUsEQtTqnEYRGxof6TGUsRP6+rMpooAlTmZ+hRWPbXDrnEC6x7qMiGK2now==","sha1":"eaab801ec2b80fe4c5e12e4886ba12fddc737b28"}}],"evidence_files":[{"tlsh":"1af0fe92ddf988321bfca140e0a1a9155a6fc572ba0b64f4f39401685fcd5e800221ac","sha256":"3872730f507d074afded9a38f46de0538ef50d2c3f5e42b19ba803d5a559aeaf","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}