{"id":"MAL-2026-5987","summary":"Malicious code in ogd-analytics (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1df5f4bdd6e2f58ff581cbad0d01738b5f6464794ace1a9fa95eea061a5bb7d5)\npackage.json declares a preinstall lifecycle script that runs automatically during `npm install`. The script executes `hostname`, `whoami`, and `pwd`, then uses curl to POST the combined output (current user, host name, and install directory) as a urlencoded `info` field to https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/ogd-analytics. webhook.site is an anonymous request-bin service, not a publisher-controlled domain, and the beacon has no relation to any advertised analytics functionality. The behavior is unconditional installer-side reconnaissance — user identity, machine identity, and filesystem location are exfiltrated to a third-party collector on every install, providing an attacker the host inventory needed for follow-on targeting (dependency confusion, internal-build-system fingerprinting).\n","modified":"2026-06-17T06:02:04.504566503Z","published":"2026-06-17T04:18:46Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"import_time":"2026-06-17T05:45:41.655646294Z","modified_time":"2026-06-17T04:18:46Z","sha256":"1df5f4bdd6e2f58ff581cbad0d01738b5f6464794ace1a9fa95eea061a5bb7d5","source":"amazon-inspector","id":"IN-MAL-2026-006875"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ogd-analytics/v/1.0.0"}],"affected":[{"package":{"name":"ogd-analytics","ecosystem":"npm","purl":"pkg:npm/ogd-analytics"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","sha256":"473db8ff147b7e322853be3bae7c3089cad703f2c64fba8bd091920102ef3637","tlsh":"35d02bf56b607273988f17b22a95f058d6705b0f10c9dc399ac7021d63461a231eb65b"}],"package_integrity":[{"filename":"ogd-analytics-1.0.0.tgz","hashes":{"sha1":"489ab158a72ecb94e0a21e1c8e7061d29de1e708","sha512_sri":"sha512-hft3qk26cUExsQN3I1pt8CPX01X9TnTzygq0XpW/WTjxsGG2Iu77/QOFZAJJBxnv0CisldT5YW1RGdsRtMmgrQ=="}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ogd-analytics/MAL-2026-5987.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}