mal-2026-4267
Vulnerability from ossf_malicious_packages
Published
2026-05-23 17:52
Modified
2026-05-26 05:55
Summary
Malicious code in @newline53/newline-ts-sdk (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (475a7ac4130ef9c168565439f8cac230fce87b1d59bc116caec6c712f3a5dc60)
On npm install, the postinstall hook (node install.js) collects os.hostname() and os.userInfo().username along with the package name, encodes them as a DNS subdomain of mjcfux88wjjahplabxdauc6bl.canarytokens.com, and beacons out via DNS resolution (dns.lookup/dns.resolve) and HTTP requests (shelled curl/wget to http://<host-username-pkg>.mjcfux88wjjahplabxdauc6bl.canarytokens.com). The package has no real functionality — index.js is module.exports = {} — and package.json carries placeholder author metadata (a 32-char hex string with no homepage or repository). The structure (empty main, recon-only postinstall, canarytoken endpoint) is the canonical dependency-confusion probe: an attacker publishes a public npm package matching an internal scope name to detect whether private builds inside a target organization resolve to and install the public name. The exfiltrated hostname/username identifies the victim environment to the attacker.
Source: ossf-package-analysis (5410fe1569b6b68356a714bec6729f19f05c94faa3ee858c58df8a35345f5eca)
The OpenSSF Package Analysis project identified '@newline53/newline-ts-sdk' @ 1.0.1 (npm) as malicious.
It is considered malicious because:
-
The package communicates with a domain associated with malicious activity.
-
The package executes one or more commands associated with malicious behavior.
CWE
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"domains": [
"newline53-newline-ts-sdk.scan.scan-e61f3bd6facf.mjcfux88wjjahplabxdauc6bl.canarytokens.com"
],
"evidence_files": [
{
"path": "install.js",
"sha256": "0dfc08ec02993dc0ee798da772eac18d639737cf653a1873bc5882d7ce60db13",
"tlsh": "b7210f6d39f426602a661ce8621b34116893e117b19aede8b19e97e00f1343892b3ce8"
},
{
"path": "package.json",
"sha256": "1b55015074f9904d8c4e275c89f0ba58808e7e7f6a8cec8a883eab049b8db625",
"tlsh": "1ae0c2244a119af33bc14a6a0d266e46bd218e6f4052fc0c63db621093df7ba587922d"
}
],
"package_integrity": [
{
"filename": "newline-ts-sdk-1.0.2.tgz",
"hashes": {
"sha1": "a497e5712c857ee66e1ffe23ca246eab61d54a78",
"sha512_sri": "sha512-AuOGLY+BC7wnkWwqXN0dEX+ITCchnW3yOSNRu02HoEqa6coM/c7CegbVTHXv3F/J0hI+csajJdOiI9rhjx1XIQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@newline53/newline-ts-sdk"
},
"versions": [
"1.0.1",
"1.0.2",
"1.0.0"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://github.com/ossf/package-analysis",
"https://openssf.slack.com/channels/package_analysis"
],
"name": "OpenSSF: Package Analysis",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"import_time": "2026-05-23T18:26:18.344447533Z",
"modified_time": "2026-05-23T17:52:10Z",
"sha256": "5410fe1569b6b68356a714bec6729f19f05c94faa3ee858c58df8a35345f5eca",
"source": "ossf-package-analysis",
"versions": [
"1.0.1"
]
},
{
"import_time": "2026-05-23T18:26:18.614571294Z",
"modified_time": "2026-05-23T18:21:22Z",
"sha256": "850e524520d9a4f99a9db2a9ffbbe932d1fe9256f89661c2ab33840f66dedbcd",
"source": "ossf-package-analysis",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004374",
"import_time": "2026-05-26T05:52:28.486342435Z",
"modified_time": "2026-05-23T17:54:28Z",
"sha256": "1ebfb513ccab4c26eb32c705dff22c1d406b63b808a892a412b96e83a82cbc57",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004372",
"import_time": "2026-05-26T05:52:28.272186857Z",
"modified_time": "2026-05-23T17:52:32Z",
"sha256": "475a7ac4130ef9c168565439f8cac230fce87b1d59bc116caec6c712f3a5dc60",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-004375",
"import_time": "2026-05-26T05:52:28.583907486Z",
"modified_time": "2026-05-23T17:54:28Z",
"sha256": "66e2e3fc61650bd0215066af2b21837ff23cb044ab56e385401878cfbec7d8b6",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-004370",
"import_time": "2026-05-26T05:52:28.025149829Z",
"modified_time": "2026-05-23T17:52:27Z",
"sha256": "6e3fd64e82a33680c9545e4065e71a2990350d13c0182777df8c094c9514284e",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-004371",
"import_time": "2026-05-26T05:52:28.152369964Z",
"modified_time": "2026-05-23T17:52:28Z",
"sha256": "86fe18bd38e9f6f5b1f5f4278284e76874c2f5781c9bb5396a230a5d9314a0c2",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-004373",
"import_time": "2026-05-26T05:52:28.386210877Z",
"modified_time": "2026-05-23T17:52:33Z",
"sha256": "aad6652e2eb0c57558109b87ff36a64fdea033ec256d4aa78268c6f49afba499",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (475a7ac4130ef9c168565439f8cac230fce87b1d59bc116caec6c712f3a5dc60)\nOn `npm install`, the postinstall hook (`node install.js`) collects `os.hostname()` and `os.userInfo().username` along with the package name, encodes them as a DNS subdomain of `mjcfux88wjjahplabxdauc6bl.canarytokens.com`, and beacons out via DNS resolution (`dns.lookup`/`dns.resolve`) and HTTP requests (shelled `curl`/`wget` to `http://\u003chost-username-pkg\u003e.mjcfux88wjjahplabxdauc6bl.canarytokens.com`). The package has no real functionality \u2014 `index.js` is `module.exports = {}` \u2014 and `package.json` carries placeholder author metadata (a 32-char hex string with no homepage or repository). The structure (empty main, recon-only postinstall, canarytoken endpoint) is the canonical dependency-confusion probe: an attacker publishes a public npm package matching an internal scope name to detect whether private builds inside a target organization resolve to and install the public name. The exfiltrated hostname/username identifies the victim environment to the attacker.\n\n## Source: ossf-package-analysis (5410fe1569b6b68356a714bec6729f19f05c94faa3ee858c58df8a35345f5eca)\nThe OpenSSF Package Analysis project identified \u0027@newline53/newline-ts-sdk\u0027 @ 1.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n",
"id": "MAL-2026-4267",
"modified": "2026-05-26T05:55:01Z",
"published": "2026-05-23T17:52:10Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@newline53/newline-ts-sdk/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@newline53/newline-ts-sdk/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@newline53/newline-ts-sdk/v/1.0.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @newline53/newline-ts-sdk (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…