{"id":"MAL-2026-6702","summary":"Malicious code in vue-demi-fix (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3bf683b6e8715fecd451a06da256d90048054cbe463da64e43c1a8db4226b661)\nvue-demi-fix is a name-confusion package against the widely used vue-demi library. package.json declares both preinstall and postinstall lifecycle scripts that invoke curl against a hardcoded bare-IP HTTP endpoint (http://109.71.252.153:8080/), exfiltrating the installer's OS, username (whoami), current working directory (pwd), and hostname as URL query parameters on every npm install. The package ships no real functionality — index.js only prints a proof-of-concept notice and README self-labels as a 'Responsible Disclosure' PoC. Regardless of the PoC framing, installers receive no benign function and their host identity is unconditionally beaconed to a non-publisher, non-registry endpoint on a default install.\n\n## Source: ossf-package-analysis (8fd5381cd4364444dac8d64b33e317c526ef52948ebfb9d10e11ec0909b7d383)\nThe OpenSSF Package Analysis project identified 'vue-demi-fix' @ 10.0.4 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-07-01T19:16:50.068014111Z","published":"2026-06-30T10:41:28Z","database_specific":{"malicious-packages-origins":[{"sha256":"8fd5381cd4364444dac8d64b33e317c526ef52948ebfb9d10e11ec0909b7d383","source":"ossf-package-analysis","modified_time":"2026-06-30T10:41:28Z","import_time":"2026-06-30T21:35:44.631242273Z","versions":["10.0.4"]},{"sha256":"3bf683b6e8715fecd451a06da256d90048054cbe463da64e43c1a8db4226b661","id":"IN-MAL-2026-007842","source":"amazon-inspector","modified_time":"2026-07-01T18:34:29Z","import_time":"2026-07-01T19:11:22.756129232Z","versions":["10.0.4"]},{"sha256":"41d430d87db19b144ee6213294cc5dd634b60288db5dd1c9ba6d57e23d90140c","id":"IN-MAL-2026-007844","source":"amazon-inspector","modified_time":"2026-07-01T18:34:46Z","import_time":"2026-07-01T19:11:23.067617477Z","versions":["10.0.3"]},{"sha256":"de927f8bd731d104d0cd6444386a8c9a050331d85b1de57a14bee2c7f4baa0e7","id":"IN-MAL-2026-007843","source":"amazon-inspector","modified_time":"2026-07-01T18:34:39Z","import_time":"2026-07-01T19:11:22.90478316Z","versions":["10.0.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vue-demi-fix/v/10.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vue-demi-fix/v/10.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/vue-demi-fix/v/10.0.5"}],"affected":[{"package":{"name":"vue-demi-fix","ecosystem":"npm","purl":"pkg:npm/vue-demi-fix"},"versions":["10.0.4","10.0.3","10.0.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"vue-demi-fix-10.0.4.tgz","hashes":{"sha512_sri":"sha512-sOGDhqSQeq3Ki7DOeFTqutfY0sf72I9I/fMSaj43mWQWNnerwv+7aCGX4kqSvx7VlJTGd4qPczAHTvYbLFvoxQ==","sha1":"4e8b755465d097a5dfc9515df2eaa015bd7703df"}}],"evidence_files":[{"path":"package.json","sha256":"1df317c182d5e7b522b207299f68c0e75e79c4697c009e69b256410bd6335779","tlsh":"49f028382834a6333ac54f20686576efac417f730191bc15e7a3a51ddaae29202b9219"},{"path":"README.md","sha256":"58b31f2aade66367cf38caf6f10806a270f3be88b9cdfc5f1c8524d01ac44479","tlsh":"20a022333008ba0823303a030ae00a002a000c22bf88a080c80be880820c0c08a8833a"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vue-demi-fix/MAL-2026-6702.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}