{"id":"MAL-2026-6565","summary":"Malicious code in @uisp/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e841054b9f1d1625077178da23e8096c345ff196851058742d4903747d1461ea)\nPackage published to the public npm registry under the @uisp scope at version 99.0.1 — the canonical dependency-confusion shape (organization-matching scope plus inflated version to outrank private internal releases). package.json declares scripts.preinstall=\"node beacon.js\". beacon.js unconditionally runs child_process.execSync('whoami') and exfiltrates the base64-encoded output to a hardcoded Burp Collaborator host (w963dgom49n3ibi6677fuaxd64cv0loa.oastify.com) via both a DNS lookup of NONCE.\u003cb64\u003e.\u003ccollab\u003e and an https.get to https://\u003ccollab\u003e/\u003cnonce\u003e/whoami/\u003cb64\u003e. Installer harm: running `npm install` against the public registry (or any misconfigured registry resolution that falls through to it) auto-executes attacker code on the build host and leaks host identity to an external out-of-band collector. The README's claim of authorized research does not constitute consent for arbitrary installers and does not mitigate the install-time RCE + exfiltration mechanism.\n","modified":"2026-06-29T05:16:43.345915762Z","published":"2026-06-29T03:20:42Z","database_specific":{"malicious-packages-origins":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"sha256":"e10df679e35a375b1e0c5a4dcfd138be621374bc861aa3eac834b89144791309","source":"amazon-inspector","versions":["99.0.2"],"id":"IN-MAL-2026-007706","import_time":"2026-06-29T05:07:04.752707822Z","modified_time":"2026-06-29T03:20:58Z"},{"versions":["99.0.1"],"id":"IN-MAL-2026-007704","import_time":"2026-06-29T05:07:04.416295484Z","modified_time":"2026-06-29T03:20:42Z","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"sha256":"e841054b9f1d1625077178da23e8096c345ff196851058742d4903747d1461ea","source":"amazon-inspector"},{"source":"amazon-inspector","versions":["99.0.0"],"id":"IN-MAL-2026-007705","import_time":"2026-06-29T05:07:04.544957235Z","modified_time":"2026-06-29T03:20:50Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"sha256":"ff736ef7db7d1fcf7d9a37f6f675d7a3008aef01e9341e8a4f84ea1cc57185e1"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@uisp/utils/v/99.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@uisp/utils/v/99.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@uisp/utils/v/99.0.0"}],"affected":[{"package":{"name":"@uisp/utils","ecosystem":"npm","purl":"pkg:npm/%40uisp%2Futils"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.0.2","99.0.1","99.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@uisp/utils/MAL-2026-6565.json","indicators":{"evidence_files":[{"tlsh":"482100afabb427a110c275d4d51f3126f563d21c5394aff0c0a6e2173d2c86502aa8fa","path":"beacon.js","sha256":"395a88912555d89f172d58242e2b84b6fc5fb072cc2651868708321f1f91f463"},{"path":"package.json","sha256":"ea94b48f05e956d47d7cb63a02f9fc9ffce04cc03f27b8ee27bd014333019237","tlsh":"85e0c0145e00d93725d401e55975501731b5cc0f166d2935e183010c509dfea237f39a"}],"package_integrity":[{"hashes":{"sha1":"b95d52599dc86fb299e107d615873ebc4d4a6cfc","sha512_sri":"sha512-UFY/YseOiUmqRFMBPIDJ6vmJIF7OqhZQuR5pf0AGrs9UGsI37/BIa5kl4ROOjZSGWoAlY1fn9ReoEB1B8BaFJA=="},"filename":"utils-99.0.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}