{"id":"MAL-2026-6550","summary":"Malicious code in @k18n/creatormarketplace-admin-language (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8)\nPackage claims the @k18n npm scope (used internally by Kuaishou) and publishes at version 99.0.0 — the canonical high-version dependency-confusion shape that causes internal builds resolving @k18n from public npm to pull this artifact. A preinstall script in index.js collects host identifiers (os.hostname(), os.userInfo().username, install directory, cwd, package version) and transmits them to c.adityasec.com over two channels: an HTTPS POST to https://c.adityasec.com/LdCdrTByhmflbwt5qFNisg and a DNS lookup of a hex-encoded subdomain under c.adityasec.com (DNS exfil fallback for hosts where outbound HTTPS is restricted). The lifecycle hook fires automatically on `npm install` with no consent. The package's own description self-labels this as a 'dependency confusion proof of concept,' but the cover-story label does not change the installer-side harm: any build host that resolves @k18n from the public registry leaks internal hostnames, usernames, and build paths to a third-party operator.\n","modified":"2026-07-08T17:16:50.597291640Z","published":"2026-06-28T06:01:17Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-28T06:50:42.818797198Z","sha256":"6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8","versions":["99.0.0"],"source":"amazon-inspector","modified_time":"2026-06-28T06:01:17Z","id":"IN-MAL-2026-007696","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"import_time":"2026-07-08T17:01:28.829183185Z","sha256":"c0179fff59fcd98ba528e9806c213bfd4d5a84650f2171ee07e38385f1457491","versions":["99.0.1"],"source":"amazon-inspector","modified_time":"2026-07-08T16:21:27Z","id":"IN-MAL-2026-008078"},{"import_time":"2026-07-08T17:01:29.004316922Z","sha256":"d6af95c8029bf9e5648dccc458f775b45988bf74f2b0dee8ffe66030b5ed04f1","versions":["99.0.2"],"source":"amazon-inspector","modified_time":"2026-07-08T16:21:55Z","id":"IN-MAL-2026-008081"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@k18n/creatormarketplace-admin-language/v/99.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@k18n/creatormarketplace-admin-language/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@k18n/creatormarketplace-admin-language/v/99.0.2"}],"affected":[{"package":{"name":"@k18n/creatormarketplace-admin-language","ecosystem":"npm","purl":"pkg:npm/%40k18n/creatormarketplace-admin-language"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.0.0","99.0.1","99.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@k18n/creatormarketplace-admin-language/MAL-2026-6550.json","indicators":{"package_integrity":[{"filename":"creatormarketplace-admin-language-99.0.0.tgz","hashes":{"sha1":"88aee6b16d2d27cbdea10f3c62fcc2ce59911d68","sha512_sri":"sha512-4M1Z4VHztMAbjyFN2YRa+PFQZ6j43XPXws9Q48fkUf2KRzTkQSQ5UPu59HRmjKyqra6EJNXJTVNMyvwJr3yYUQ=="}}],"evidence_files":[{"sha256":"ccb00bd9bfd7267264645159b028d65662a9c8085b38b4a82009207e66ae5122","tlsh":"ab2116f0939450b025b545c0a4a5491122dbc77f7e1bfcf1b59802294f9eefd41364ba","path":"index.js"},{"sha256":"61184cc8bb745f03496f588ec6e4ed28a7261036f7080444cfabd7d9cb08a8d2","tlsh":"9ff0e1709c1464230dd911e148751545a175ce3b4d09ec6a67b6012c818feaa467e3ed","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}