mal-2026-3323
Vulnerability from ossf_malicious_packages
Malicious npm package published by the microsop threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as "Security Research PoC" and execute on preinstall via node index.js, exfiltrating to disposable webhook.site endpoints.
This package targets PayPal-flavored internal naming and performs internal-registry / build-environment discovery. On install it reads /root/.npmrc (token values are partially scrubbed before exfil but the registry URL is kept, revealing the victim's private registry), enumerates neighbor packages under /app/node_modules and /node_modules, and runs npm search paypal --json --limit=20 against whatever registry is configured to enumerate other PayPal-named packages worth targeting. The collected output is POSTed to https://webhook.site/db976f48-5e71-4746-a905-1af291c19c1f tagged event: LINUX_INTERNAL_DISCOVERY. Source contains Indonesian-language operator comments matching the rest of the campaign.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "paypal-payouts-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
]
}
],
"credits": [
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": null
},
"details": "Malicious npm package published by the `microsop` threat actor as part of a dependency-confusion campaign that impersonates internal tooling at Microsoft, Google Cloud, and PayPal using inflated semver values (e.g. 99.9.x, 100.1.x) to win npm resolution against private internal packages. All packages in the campaign falsely advertise themselves as \"Security Research PoC\" and execute on `preinstall` via `node index.js`, exfiltrating to disposable `webhook.site` endpoints.\n\nThis package targets PayPal-flavored internal naming and performs internal-registry / build-environment discovery. On install it reads `/root/.npmrc` (token values are partially scrubbed before exfil but the registry URL is kept, revealing the victim\u0027s private registry), enumerates neighbor packages under `/app/node_modules` and `/node_modules`, and runs `npm search paypal --json --limit=20` against whatever registry is configured to enumerate other PayPal-named packages worth targeting. The collected output is POSTed to `https://webhook.site/db976f48-5e71-4746-a905-1af291c19c1f` tagged `event: LINUX_INTERNAL_DISCOVERY`. Source contains Indonesian-language operator comments matching the rest of the campaign.",
"id": "MAL-2026-3323",
"modified": "2026-05-04T00:00:00Z",
"published": "2026-05-04T00:00:00Z",
"schema_version": "1.7.4",
"summary": "Malicious code in paypal-payouts-bridge (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.