MAL-2026-6696

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@businessapp-microsites/apis/MAL-2026-6696.json
JSON Data
https://api.test.osv.dev/v1/vulns/MAL-2026-6696
Published
2026-06-30T20:59:02Z
Modified
2026-06-30T21:46:38.352997259Z
Summary
Malicious code in @businessapp-microsites/apis (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7)

Package squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs node -e to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any npm install that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "versions": [
                "9999.0.0"
            ],
            "id": "IN-MAL-2026-007813",
            "modified_time": "2026-06-30T20:59:02Z",
            "sha256": "8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7",
            "import_time": "2026-06-30T21:35:49.577930753Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "f314f6c735fd7e1f9b226a235d36d50bb13f253d7fc3dfa7ef06d3b52d5f96bc",
            "modified_time": "2026-06-30T20:59:09Z",
            "versions": [
                "9999.0.1"
            ],
            "id": "IN-MAL-2026-007814",
            "import_time": "2026-06-30T21:35:49.707235574Z"
        }
    ]
}
References
Credits

Affected packages

npm / @businessapp-microsites/apis

Package

Name
@businessapp-microsites/apis
View open source insights on deps.dev
Purl
pkg:npm/%40businessapp-microsites%2Fapis

Affected ranges

Affected versions

9999.*
9999.0.0
9999.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@businessapp-microsites/apis/MAL-2026-6696.json"
indicators
{
    "evidence_files": [
        {
            "tlsh": "760123794418292b1dc0b2f68172e92ed821fb0b20426918b6f942cd27558b6c13971d",
            "sha256": "5f890811f43dc23e9222fb1b742677bf9ac88ad699b27536b342a66d8f3c0377",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "apis-9999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ez1OgjT45x4PMZwtSoBaEl5I3iVz3yX7ywr6rvD6vkfeZrn0uCFdmBuVfdVvXcx6F8VoQQgH3gbBGOlIlYpixQ==",
                "sha1": "16c0dd840f392da3b019d6cf4e1e885bbadfabcd"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]