{"id":"MAL-2026-6577","summary":"Malicious code in int_sezzle_sfra (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d)\npackage.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host reconnaissance from the installer machine — hostname, OS info, username, uid/gid, shell, home directory, current working directory, and the output of `whoami` and `id` shelled out via child_process.exec — and POSTs the resulting JSON to a hardcoded Burp Collaborator OAST subdomain at https://1mopc72u2pqhsphbd3rmzirm9df43wrl.oastify.com/detox56. The package name mirrors the Salesforce Commerce Cloud (SFRA) cartridge naming convention used by Sezzle's internal `int_sezzle_sfra` integration cartridge; combined with empty author/description/license metadata and the install-time OAST beacon, this matches the canonical dependency-confusion pattern targeting a private vendor cartridge name. Installing this package causes unconsented exfiltration of installer identity and shell-command output to an attacker-controlled callback host.\n","modified":"2026-06-29T07:16:43.966871358Z","published":"2026-06-29T05:34:59Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-29T07:09:09.874548056Z","modified_time":"2026-06-29T05:34:59Z","versions":["25.2.1"],"id":"IN-MAL-2026-007749","source":"amazon-inspector","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"sha256":"16242285e7dabb5a109f61e97ab52c05ad80ea9b8f326a706c3228268536e80d"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/int_sezzle_sfra/v/25.2.1"}],"affected":[{"package":{"name":"int_sezzle_sfra","ecosystem":"npm","purl":"pkg:npm/int_sezzle_sfra"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["25.2.1"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/int_sezzle_sfra/MAL-2026-6577.json","indicators":{"package_integrity":[{"hashes":{"sha1":"4b7c5a1fc7b549a150b960020967952d93171848","sha512_sri":"sha512-vLk6wNpDZaeba+gpuXb7CLpyUfbunHxdoinGja+OxQLQpDN+1hJRVFLDWAPOOxpLgqlli+7Y1US95r7yPBc+sA=="},"filename":"int_sezzle_sfra-25.2.1.tgz"}],"evidence_files":[{"path":"index.js","tlsh":"bb5152c515f65a241ba7b8494a4f9402a327e0033549ee55bfcc8740af9937c9bf0bf6","sha256":"6df26231e805de45d3ac940af2c5fe0a7db4e99d7f1a82b476db05f10cf628ab"},{"path":"package.json","tlsh":"f5d05e244e22592329c51656082a949a72619f2f04043c08a79f182c51ce27798ff35e","sha256":"ae749e4ef426603267952da6368f1ca83bad71c7a73e689a45cf2822314083e4"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}