mal-2026-6697
Vulnerability from ossf_malicious_packages
Published
2026-06-30 20:59
Modified
2026-06-30 20:59
Summary
Malicious code in @sudoughnym/enviro-demo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957)

@sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect host identifiers and environment metadata — os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count — and POST them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, a third-party webhook capture service not associated with the package's stated publisher. The package version (99.99.99) and its own description identify it as a dependency-confusion proof-of-concept targeting an internal enviro package name; the inflated semver is intended to outrank private-registry versions so internal build systems resolve to this public package. Installer harm: any build or developer machine that resolves to this version leaks host identity and environment-variable layout (which can include secret-bearing variable names) to an attacker-controlled endpoint on every install.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "preinstall.js",
              "sha256": "03df4047f3aaa9c2cbbfd289053a748d9b5f82a4113ed142dc54f9a9f5529ad0",
              "tlsh": "202144d4e1e8661413b7b3e5e08b611a39b7c841974b7964f45883633fd5a2801729ed"
            },
            {
              "path": "package.json",
              "sha256": "57dca44a6dc5be90c2735bfc0ec5593f143634a523bbe7aaa4c23584d0a1f689",
              "tlsh": "e8e068704400eb33bcce4be9083380067bf94846ca64190863db808a138d17e87ff15a"
            }
          ],
          "package_integrity": [
            {
              "filename": "enviro-demo-99.99.99.tgz",
              "hashes": {
                "sha1": "b18eadcb0f62b03b69c83d6e94d0e0ae59491bfb",
                "sha512_sri": "sha512-0edpnYwjpGQJbNmYw615jFEO+AmwNxe23cH6Briw61pX4lhkOO2+sBx+3GDWUwoZdHafgy6ZbdMT+rSDAZD/4Q=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "@sudoughnym/enviro-demo"
      },
      "versions": [
        "99.99.99"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007815",
        "import_time": "2026-06-30T21:35:49.848832693Z",
        "modified_time": "2026-06-30T20:59:17Z",
        "sha256": "02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957",
        "source": "amazon-inspector",
        "versions": [
          "99.99.99"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957)\n@sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on `npm install`. Both scripts collect host identifiers and environment metadata \u2014 os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count \u2014 and POST them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, a third-party webhook capture service not associated with the package\u0027s stated publisher. The package version (99.99.99) and its own description identify it as a dependency-confusion proof-of-concept targeting an internal `enviro` package name; the inflated semver is intended to outrank private-registry versions so internal build systems resolve to this public package. Installer harm: any build or developer machine that resolves to this version leaks host identity and environment-variable layout (which can include secret-bearing variable names) to an attacker-controlled endpoint on every install.\n",
  "id": "MAL-2026-6697",
  "modified": "2026-06-30T20:59:17Z",
  "published": "2026-06-30T20:59:17Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/@sudoughnym/enviro-demo/v/99.99.99"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in @sudoughnym/enviro-demo (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…