{"id":"MAL-2026-6069","summary":"Malicious code in @civitatis/bot-ui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7)\nThe package declares `\"preinstall\": \"node index.js\"` in package.json, causing index.js to execute automatically on `npm install`. index.js requires `child_process`, `os`, `https`, and `http`, then collects host and user identity — `whoami`, `id`, `os.hostname()`, `process.platform`, architecture, homedir, `os.userInfo()` (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL `https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56` (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the `bot-ui` name — and the `@civitatis` scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker.\n","modified":"2026-06-17T20:01:52.006664734Z","published":"2026-06-17T18:55:02Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006926","sha256":"e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7","versions":["15.12.11"],"modified_time":"2026-06-17T18:55:02Z","source":"amazon-inspector","import_time":"2026-06-17T18:56:07.693569058Z"},{"id":"IN-MAL-2026-006930","sha256":"6c7b137f3a76494fda4324f6d092333d5017df9b8b0edeed588b1e1ed6f45675","versions":["14.12.11"],"modified_time":"2026-06-17T19:07:36Z","source":"amazon-inspector","import_time":"2026-06-17T19:45:56.627936104Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@civitatis/bot-ui/v/15.12.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@civitatis/bot-ui/v/14.12.11"}],"affected":[{"package":{"name":"@civitatis/bot-ui","ecosystem":"npm","purl":"pkg:npm/%40civitatis%2Fbot-ui"},"versions":["15.12.11","14.12.11"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"a299b42fd45d034de3123be6a5bedc85ca0e3b2c","sha512_sri":"sha512-8zeaVWe4vODDFkbibGa45KdXuB+EiVTogseQLuHpimcDgv5Li3WqgQMHRjVWwD4C+FwcanwMqU4QEl/E/tezJA=="},"filename":"bot-ui-15.12.11.tgz"}],"evidence_files":[{"sha256":"3ff6c041e827912a9b07619a7de5ae890dd053caed6a6090cd0552696baa5b7f","path":"index.js","tlsh":"665161c515f65a241ba7b8494a4f9402a327e003354aee55bfcc8340af8937c97f0bf2"},{"sha256":"ae801dcd7ffa9fb46b5fa08809e4ee7c8b37f67580f643241727fae4290f43b3","path":"package.json","tlsh":"64d05e704e61653365d11263482ba45763a1cf6f1504bc08a7cb582c82de67789fe30e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@civitatis/bot-ui/MAL-2026-6069.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}