mal-2026-6696
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7)
Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs node -e to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any npm install that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "package.json",
"sha256": "5f890811f43dc23e9222fb1b742677bf9ac88ad699b27536b342a66d8f3c0377",
"tlsh": "760123794418292b1dc0b2f68172e92ed821fb0b20426918b6f942cd27558b6c13971d"
}
],
"package_integrity": [
{
"filename": "apis-9999.0.0.tgz",
"hashes": {
"sha1": "16c0dd840f392da3b019d6cf4e1e885bbadfabcd",
"sha512_sri": "sha512-ez1OgjT45x4PMZwtSoBaEl5I3iVz3yX7ywr6rvD6vkfeZrn0uCFdmBuVfdVvXcx6F8VoQQgH3gbBGOlIlYpixQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@businessapp-microsites/apis"
},
"versions": [
"9999.0.0",
"9999.0.1"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007813",
"import_time": "2026-06-30T21:35:49.577930753Z",
"modified_time": "2026-06-30T20:59:02Z",
"sha256": "8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7",
"source": "amazon-inspector",
"versions": [
"9999.0.0"
]
},
{
"id": "IN-MAL-2026-007814",
"import_time": "2026-06-30T21:35:49.707235574Z",
"modified_time": "2026-06-30T20:59:09Z",
"sha256": "f314f6c735fd7e1f9b226a235d36d50bb13f253d7fc3dfa7ef06d3b52d5f96bc",
"source": "amazon-inspector",
"versions": [
"9999.0.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7)\nPackage squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any `npm install` that resolves this scope from the public registry, the installer\u0027s machine performs an outbound callback that confirms execution and discloses the installer\u0027s source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.\n",
"id": "MAL-2026-6696",
"modified": "2026-06-30T21:37:36Z",
"published": "2026-06-30T20:59:02Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@businessapp-microsites/apis/v/9999.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@businessapp-microsites/apis/v/9999.0.1"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @businessapp-microsites/apis (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.