{"id":"MAL-2026-6124","summary":"Malicious code in @onum-releases/ixel (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599)\nOn import, index.js reads os.hostname() and issues an HTTPS GET to `ixel.\u003chostname\u003e.200majoeu01dk02xnjdajro1isojc90y.oastify.com/ixel` (oastify.com is Burp Suite's Collaborator out-of-band interaction domain). The hostname is embedded as a DNS subdomain label, so the DNS resolution alone leaks the installer's hostname to an attacker-controlled nameserver regardless of whether the HTTP request succeeds. Any developer machine or CI runner that `require()`s this package — directly or transitively — sends a host identifier to the operator of the configured Collaborator instance. The package.json description (\"Security PoC placeholder - benign, no runtime payload\") contradicts the shipped code, and the `@onum-releases` scope appears designed to resemble a legitimate vendor releases namespace.\n","modified":"2026-06-18T17:16:47.302918609Z","published":"2026-06-18T16:15:22Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006995","sha256":"03f19785a8c7b4908b1bdab949073500ac828a2ccc3d34562cac16b4fce4a45b","import_time":"2026-06-18T17:08:46.962833167Z","source":"amazon-inspector","modified_time":"2026-06-18T16:15:22Z","versions":["1.0.2"]},{"id":"IN-MAL-2026-007003","sha256":"0405bead6aa6dd628190974d5555a124113b2fc630e8a90f11be30a238af88d2","versions":["1.0.3"],"source":"amazon-inspector","modified_time":"2026-06-18T16:15:32Z","import_time":"2026-06-18T17:08:47.614926762Z"},{"id":"IN-MAL-2026-006994","sha256":"188c65369497c00333fc54291c970071044f3237a255387903a707cfd2711599","versions":["1.0.1"],"source":"amazon-inspector","modified_time":"2026-06-18T16:15:22Z","import_time":"2026-06-18T17:08:46.900116541Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@onum-releases/ixel/v/1.0.1"}],"affected":[{"package":{"name":"@onum-releases/ixel","ecosystem":"npm","purl":"pkg:npm/%40onum-releases%2Fixel"},"versions":["1.0.2","1.0.3","1.0.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"33353623275a9379387b051a7e58079d99af6ec5","sha512_sri":"sha512-I//R82XQNfvPGzyuUzLv43AqowSoK1Gfm3uu9CMqPnmkJdqJ0tMYeP9GGwwIXmlfbxfDrwcMLZXvuszu8gp+mw=="},"filename":"ixel-1.0.2.tgz"}],"evidence_files":[{"sha256":"6e5ac179cb554e98721365c79a3caa7198842aeff84bee0e047ce090fb31f503","path":"index.js","tlsh":"94f0abd6d2f9f1907132b4c9d65e0405a2a2f0902295cec04aafe1f66df1b281706ef8"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@onum-releases/ixel/MAL-2026-6124.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}