{"id":"MAL-2026-6980","summary":"Malicious code in domains-billing-types (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4860726efc056e319a24e46ac4e179809cc294267679a9b8122c5205b49369f1)\ndomains-billing-types@99.91.1 executes `node index.js` from its `postinstall` lifecycle script. On install, index.js reads `os.hostname()` and `os.userInfo().username` and embeds them as subdomain labels in a DNS A-record lookup to `\u003chostname\u003e.\u003cusername\u003e.aiwm5lowso4vtjynsoije5q4rvxmlf94.oastify.com` (Burp Suite Collaborator, an out-of-band interaction server). The DNS resolution transmits the installer's host and user identity to an attacker-controlled OAST endpoint at install time, without consent. The package has anonymous authorship, an empty description (\"Billing!\"), and no real functionality — the name and shape are consistent with a dependency-confusion probe against an internal package namespace, with the DNS beacon confirming any successful resolution.\n\n## Source: ossf-package-analysis (11558e73bc928dd5dadd7ba70e9256e5458e6d829c63a577a31740d2f6c553e1)\nThe OpenSSF Package Analysis project identified 'domains-billing-types' @ 99.91.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-07-09T16:31:57.177524827Z","published":"2026-07-08T14:20:52Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-08T15:18:59.737841545Z","sha256":"11558e73bc928dd5dadd7ba70e9256e5458e6d829c63a577a31740d2f6c553e1","source":"ossf-package-analysis","versions":["99.91.1"],"modified_time":"2026-07-08T14:20:52Z"},{"import_time":"2026-07-09T16:20:54.072626041Z","sha256":"4860726efc056e319a24e46ac4e179809cc294267679a9b8122c5205b49369f1","source":"amazon-inspector","versions":["99.91.1"],"modified_time":"2026-07-09T15:49:29Z","id":"IN-MAL-2026-009246"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/domains-billing-types/v/99.91.1"}],"affected":[{"package":{"name":"domains-billing-types","ecosystem":"npm","purl":"pkg:npm/domains-billing-types"},"versions":["99.91.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/domains-billing-types/MAL-2026-6980.json","indicators":{"package_integrity":[{"filename":"domains-billing-types-99.91.1.tgz","hashes":{"sha512_sri":"sha512-Oz1AEe9uJfVbUxaGp/cQC5YcQGRtSzmwwtx6NkjiqI9+Nweah4h4DqWMXBnAPkc7IC6GG3cM6VwGNg/9sAiYrg==","sha1":"71ab0271b8f642d95caee9aa49adf486529cbbd1"}}],"evidence_files":[{"sha256":"22171063882c8b7b1655e6979f46b977eab1ab17faea8f91f495b66122c252c7","path":"index.js","tlsh":"e2e026b401b359b11d6b95d8a022000a2783c682315dd8c285ac83e5c2c2ff4cd30599"},{"sha256":"2a5a486c714bb2ef4996adcdaeea69d3a01b133ab1360b97cb09fa25bfd974b6","path":"package.json","tlsh":"95d022a4ac2056333cc423ea0e24b40a6220cd0b00243c08bbd7812c67da13b48ff26d"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}