{"id":"MAL-2026-6481","summary":"Malicious code in gx-npm-ui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb)\nPackage published at version 99.99.99 under the gx-npm-* namespace, a shape designed to win npm version resolution against private internal packages of the same name. package.json declares postinstall=`node beacon.js`, which runs unconditionally on `npm install`. beacon.js collects the installer's hostname, OS username, current working directory, package name, Node version, and the first 80 environment variable names, then exfiltrates them two ways to the hardcoded out-of-band host `d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me`: (1) a DNS lookup encoding the collected identifiers as subdomain labels, and (2) an HTTPS GET with a base64-encoded JSON payload in the query string. Any CI/build system or developer machine that resolves this package against the public npm registry leaks host identity and environment-variable names to an attacker-controlled interactsh/OAST endpoint on every install.\n","modified":"2026-06-25T23:16:25.029583665Z","published":"2026-06-25T22:30:07Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-25T23:00:34.523448188Z","versions":["99.99.99"],"sha256":"04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb","id":"IN-MAL-2026-007559","modified_time":"2026-06-25T22:30:07Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/gx-npm-ui/v/99.99.99"}],"affected":[{"package":{"name":"gx-npm-ui","ecosystem":"npm","purl":"pkg:npm/gx-npm-ui"},"versions":["99.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gx-npm-ui/MAL-2026-6481.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"d3d4337397db1302a247ab4b21a5034b89c1d9a5","sha512_sri":"sha512-l6pqw2U4jjK24d8hpF7uJOl9DmdSgd2r4NKEU0jEK5NiVdwYsWGZK0Bon7db4i3vm3MDiywtpFIsdJfE/3ZxXA=="},"filename":"gx-npm-ui-99.99.99.tgz"}],"evidence_files":[{"path":"beacon.js","sha256":"8642a1b9117942eed77327a315389d97f652317c03f2506a9ee28793621af7b5","tlsh":"2841879f99e8a12822f721f446af402526b3d2631358ddd0745ca3158f75db803d6cfe"},{"path":"package.json","sha256":"952da3c3a1c60a06e47c944889975b03c30bf1b69b33b70e062d78ba7d5224de","tlsh":"1af00e98b414aa3b0fe259d2087a649b37728c4e5b046145878f4014a20ebe303f72fb"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}