{"id":"MAL-2026-6709","summary":"Malicious code in vega-lite-next (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd)\nPackage name impersonates the popular vega-lite library but ships no vega functionality — only a preinstall exfiltration stub. package.json declares `preinstall: node index.js`. On `npm install`, index.js collects os.hostname(), platform, arch, os.userInfo() (username/uid/gid/shell), homedir, cwd, and the output of `whoami` and `id` executed via child_process, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://kbztayu6auucui8s9ucz2mujkaq1er2g.oastify.com/detox56. The combination of typosquat naming, absence of library functionality, automatic preinstall execution, shell reconnaissance, and an attacker-controlled exfil endpoint is an unambiguous supply-chain attack against developers who mistype or are tricked into installing the lookalike.\n","modified":"2026-07-01T20:16:47.885897533Z","published":"2026-07-01T19:16:14Z","database_specific":{"malicious-packages-origins":[{"versions":["19.2.1"],"modified_time":"2026-07-01T19:16:14Z","sha256":"8c98ee24f91eaab2bc8360306a75519ae167dcbc3c7bd38cc395fbaa9590f4cd","source":"amazon-inspector","id":"IN-MAL-2026-007875","import_time":"2026-07-01T20:12:12.40132599Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vega-lite-next/v/19.2.1"}],"affected":[{"package":{"name":"vega-lite-next","ecosystem":"npm","purl":"pkg:npm/vega-lite-next"},"versions":["19.2.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vega-lite-next/MAL-2026-6709.json","indicators":{"package_integrity":[{"filename":"vega-lite-next-19.2.1.tgz","hashes":{"sha1":"65cf1aef6c27a72fd95cc73b23ad2e82f4cd3207","sha512_sri":"sha512-YWd3sgyY3OBKWeSYg1AvVpX1taenLmMiExmlSIZY7kjzxKBHTtRcawrStlklibYm1M1oK4Hh0FxxBClLJm5plA=="}}],"evidence_files":[{"path":"index.js","sha256":"cdbd2760dbc11550f16b946a5235ea37a6e087d6a218afe61c4094176f415e41","tlsh":"d95130c515f65a241ba7b8494a4f9402a327e1033509ee59bfcc8740af9937c97f0bf6"},{"path":"package.json","sha256":"0e9905e7823ccf92b80fd5830f3411d633e6a7d29017309034f2f271a947c917","tlsh":"dad05e244d22552325c102a2582b944772628e2f15143c0867cb582c918e37798fa35d"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}