Vulnerability-Lookup

mal-2026-4807

Vulnerability from ossf_malicious_packages

Published

2026-05-26 12:07

Modified

2026-05-27 13:36

Summary

Malicious code in shop-minis (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e)

On npm install, the package's postinstall script (postinstall.js, run via scripts.postinstall = 'node postinstall.js') collects host identity — whoami, id, os.hostname(), os.platform(), current working directory, and the env vars CI, GITHUB_REPOSITORY, NODE_ENV — and sends them to the hardcoded attacker-controlled host svr57aylqme3zald4p0psi1hw827q1eq.oastify.com (a Burp Collaborator / OAST canary domain) via both https.get and DNS lookup. The package name shop-minis and self-described 'Security research canary — shopify' impersonate Shopify's Shop Minis platform, so any developer expecting that namespace would unwittingly leak host recon to the canary operator's collaborator instance. The package ships no real functionality matching its name; the only effect of installation is the exfiltration beacon.

Source: ghsa-malware (15ec57895cae37229f449175b247b9d216d8b9e6f7d521341cfa6ffee413b07e)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

CWE

CWE-506 - The product contains code that appears to be malicious in nature.
CWE-506 - The product contains code that appears to be malicious in nature.

Credits

Amazon Inspector actran@amazon.com

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "svr57aylqme3zald4p0psi1hw827q1eq.oastify.com",
            "scan.svr57aylqme3zald4p0psi1hw827q1eq.oastify.com"
          ],
          "evidence_files": [
            {
              "path": "postinstall.js",
              "sha256": "7fc4ea8b86c27e4111b2dc03ad327de9dc80ee686f0443edc0171645f46f6bbb",
              "tlsh": "050141a463f4e6b444f31dc0e2158c17b067e0103301bae07cec8354ab85ab445b5ced"
            },
            {
              "path": "package.json",
              "sha256": "43c55e42e821f4f501fa424379a65296edc45f351bdeda3d0d9e99d5f979996b",
              "tlsh": "35d05e2058625773b8d90aae0c369148daa24d1b5244ec3817e721c4871a27a957b36a"
            }
          ],
          "package_integrity": [
            {
              "filename": "shop-minis-2.0.5.tgz",
              "hashes": {
                "sha1": "f556b4533e1bcc01f0a1bc5f7af50eba85ad4303",
                "sha512_sri": "sha512-N3ej+GGqFOLiOSNFvxkdwTXwY4M1b1cKQMhqN0BClUlWWfqvjUHGsbpUSue9yrAsnZTxDZbMDw1f7hkcaBsB+g=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "shop-minis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": [
        "2.0.5"
      ]
    }
  ],
  "aliases": [
    "GHSA-ghv6-vv2r-5f8v"
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004905",
        "import_time": "2026-05-26T13:32:46.607776866Z",
        "modified_time": "2026-05-26T12:07:26Z",
        "sha256": "6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e",
        "source": "amazon-inspector",
        "versions": [
          "2.0.5"
        ]
      },
      {
        "id": "IN-MAL-2026-004906",
        "import_time": "2026-05-26T13:32:46.72409743Z",
        "modified_time": "2026-05-26T12:07:27Z",
        "sha256": "7366059c37dc67acd2988ef814e67556fc226b983668520a41518ca39c14902e",
        "source": "amazon-inspector",
        "versions": [
          "2.0.5"
        ]
      },
      {
        "id": "GHSA-ghv6-vv2r-5f8v",
        "import_time": "2026-05-27T13:34:11.952502482Z",
        "modified_time": "2026-05-27T13:25:15Z",
        "ranges": [
          {
            "events": [
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "sha256": "15ec57895cae37229f449175b247b9d216d8b9e6f7d521341cfa6ffee413b07e",
        "source": "ghsa-malware"
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e)\nOn `npm install`, the package\u0027s postinstall script (`postinstall.js`, run via `scripts.postinstall = \u0027node postinstall.js\u0027`) collects host identity \u2014 `whoami`, `id`, `os.hostname()`, `os.platform()`, current working directory, and the env vars `CI`, `GITHUB_REPOSITORY`, `NODE_ENV` \u2014 and sends them to the hardcoded attacker-controlled host `svr57aylqme3zald4p0psi1hw827q1eq.oastify.com` (a Burp Collaborator / OAST canary domain) via both `https.get` and DNS lookup. The package name `shop-minis` and self-described \u0027Security research canary \u2014 shopify\u0027 impersonate Shopify\u0027s Shop Minis platform, so any developer expecting that namespace would unwittingly leak host recon to the canary operator\u0027s collaborator instance. The package ships no real functionality matching its name; the only effect of installation is the exfiltration beacon.\n\n## Source: ghsa-malware (15ec57895cae37229f449175b247b9d216d8b9e6f7d521341cfa6ffee413b07e)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n",
  "id": "MAL-2026-4807",
  "modified": "2026-05-27T13:36:02Z",
  "published": "2026-05-26T12:07:26Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/shop-minis/v/2.0.5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-ghv6-vv2r-5f8v"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in shop-minis (npm)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted