mal-2026-6126
Vulnerability from ossf_malicious_packages
Published
2026-06-18 16:15
Modified
2026-06-18 17:10
Summary
Malicious code in @onum-releases/shared-components (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74)

On require()/import, index.js reads os.hostname() and issues an HTTP GET to 'shared-components..200majoeu01dk02xnjdajro1isojc90y.oastify.com/shared-components', leaking the installer's hostname out-of-band to an attacker-controlled Burp Collaborator subdomain. The package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload' but the shipped index.js contradicts that claim and actively beacons on every load. The @onum-releases scope combined with the generic 'shared-components' name is consistent with a dependency-confusion squat against an internal Onum private package; any build that resolves this public version executes the beacon and discloses the host identifier to a third party. Self-described 'PoC' framing does not neutralize the harm — the code performs real installer-side data exfiltration.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "index.js",
              "sha256": "a2374834883f5c06ac34c557a9d3fa64c903464d30180b9b93ae8c7317a6738f",
              "tlsh": "c2f0dcf9a2b5b4547132a4c9e21f680b63d3e0802682dec0429fd0e05ee2b282707df8"
            },
            {
              "path": "package.json",
              "sha256": "299d3a14bcdf0fa0291cfd9f8afb1cc8bed2523cc6dcb5dc94ac3b451d9471b3",
              "tlsh": "0cc012300900e42714c5ca710d729e1617654c6b5681b5080717501481e67b364f779d"
            }
          ],
          "package_integrity": [
            {
              "filename": "shared-components-1.0.1.tgz",
              "hashes": {
                "sha1": "4bed4113d7d96149075a50634875da0cd7135e8c",
                "sha512_sri": "sha512-TWljJkubBMvok0kbYDXwg6vTsk2F6vmF/j/icdIDcG8p0ziY5bD1AW8kAN6O1r74wcAL20KUomNRw+ef/k6ZRg=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "@onum-releases/shared-components"
      },
      "versions": [
        "1.0.1",
        "1.0.3",
        "1.0.2"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007000",
        "import_time": "2026-06-18T17:08:47.371789421Z",
        "modified_time": "2026-06-18T16:15:26Z",
        "sha256": "54d6c83bc588b9f214e650e97872e9f38e4cbe4f907f99c9bc8887f4028f9d10",
        "source": "amazon-inspector",
        "versions": [
          "1.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-006998",
        "import_time": "2026-06-18T17:08:47.196274525Z",
        "modified_time": "2026-06-18T16:15:24Z",
        "sha256": "9192c26fb53aefa13f0319128a366a226ac39ca7ffca4ff73c02c5ccd1919b19",
        "source": "amazon-inspector",
        "versions": [
          "1.0.3"
        ]
      },
      {
        "id": "IN-MAL-2026-006999",
        "import_time": "2026-06-18T17:08:47.306795997Z",
        "modified_time": "2026-06-18T16:15:25Z",
        "sha256": "c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74",
        "source": "amazon-inspector",
        "versions": [
          "1.0.2"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74)\nOn require()/import, index.js reads os.hostname() and issues an HTTP GET to \u0027shared-components.\u003chostname\u003e.200majoeu01dk02xnjdajro1isojc90y.oastify.com/shared-components\u0027, leaking the installer\u0027s hostname out-of-band to an attacker-controlled Burp Collaborator subdomain. The package.json describes the package as a \u0027Security PoC placeholder - benign, no runtime payload\u0027 but the shipped index.js contradicts that claim and actively beacons on every load. The @onum-releases scope combined with the generic \u0027shared-components\u0027 name is consistent with a dependency-confusion squat against an internal Onum private package; any build that resolves this public version executes the beacon and discloses the host identifier to a third party. Self-described \u0027PoC\u0027 framing does not neutralize the harm \u2014 the code performs real installer-side data exfiltration.\n",
  "id": "MAL-2026-6126",
  "modified": "2026-06-18T17:10:53Z",
  "published": "2026-06-18T16:15:24Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/@onum-releases/shared-components/v/1.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/@onum-releases/shared-components/v/1.0.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/@onum-releases/shared-components/v/1.0.2"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in @onum-releases/shared-components (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.