mal-2026-3322
Vulnerability from ossf_malicious_packages
Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as "Security Research PoC" / MSRC research and execute on preinstall via node index.js, exfiltrating to disposable webhook.site endpoints.
This package targets Microsoft-internal infrastructure. On install it shells out to harvest /etc/passwd, probe /etc/shadow, locate SSH private keys (id_rsa, *.pem, authorized_keys), enumerate .netrc / .dockercfg, query the AWS IMDS endpoint http://169.254.169.254/latest/user-data, and grep environment variables matching USER|PASS|TOKEN|CREDENTIAL. The collected output is POSTed to https://webhook.site/11b6a711-bdc7-4444-9a0e-ffcb23151e82 tagged status: ULTRA_USER_CREDENTIAL_SCOUT, target: global-microsoft-infra.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "microsoft-agents-auth-service"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
]
}
],
"credits": [
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": null
},
"details": "Malicious npm package published by the `microsop` threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as \"Security Research PoC\" / MSRC research and execute on `preinstall` via `node index.js`, exfiltrating to disposable `webhook.site` endpoints.\n\nThis package targets Microsoft-internal infrastructure. On install it shells out to harvest `/etc/passwd`, probe `/etc/shadow`, locate SSH private keys (`id_rsa`, `*.pem`, `authorized_keys`), enumerate `.netrc` / `.dockercfg`, query the AWS IMDS endpoint `http://169.254.169.254/latest/user-data`, and grep environment variables matching `USER|PASS|TOKEN|CREDENTIAL`. The collected output is POSTed to `https://webhook.site/11b6a711-bdc7-4444-9a0e-ffcb23151e82` tagged `status: ULTRA_USER_CREDENTIAL_SCOUT`, `target: global-microsoft-infra`.",
"id": "MAL-2026-3322",
"modified": "2026-05-04T00:00:00Z",
"published": "2026-05-04T00:00:00Z",
"schema_version": "1.7.4",
"summary": "Malicious code in microsoft-agents-auth-service (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.