{"id":"MAL-2026-6696","summary":"Malicious code in @businessapp-microsites/apis (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7)\nPackage squats the @businessapp-microsites npm scope and is published at version 9999.0.0 to outrank any internal version during dependency resolution. The package.json declares a postinstall script that runs `node -e` to issue an HTTPS GET to poc-trustpilot-npm-1782770591.testingboxes.com with a unique per-package token in the URL path. On any `npm install` that resolves this scope from the public registry, the installer's machine performs an outbound callback that confirms execution and discloses the installer's source IP and the fact-of-install to a third-party host. The combination of an unregistered-scope squat, the 9999.0.0 version pin, and an install-time beacon to an external host is the canonical dependency-confusion attack pattern; researcher framing in the package metadata does not change the runtime behavior on any machine that installs it.\n","modified":"2026-06-30T21:46:38.352997259Z","published":"2026-06-30T20:59:02Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007813","source":"amazon-inspector","import_time":"2026-06-30T21:35:49.577930753Z","sha256":"8e03d8a4119cd5d1c143adb4fcdab1625747178082a6d56717e758b513aec4f7","versions":["9999.0.0"],"modified_time":"2026-06-30T20:59:02Z"},{"modified_time":"2026-06-30T20:59:09Z","source":"amazon-inspector","import_time":"2026-06-30T21:35:49.707235574Z","sha256":"f314f6c735fd7e1f9b226a235d36d50bb13f253d7fc3dfa7ef06d3b52d5f96bc","versions":["9999.0.1"],"id":"IN-MAL-2026-007814"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@businessapp-microsites/apis/v/9999.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@businessapp-microsites/apis/v/9999.0.1"}],"affected":[{"package":{"name":"@businessapp-microsites/apis","ecosystem":"npm","purl":"pkg:npm/%40businessapp-microsites%2Fapis"},"versions":["9999.0.0","9999.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@businessapp-microsites/apis/MAL-2026-6696.json","indicators":{"package_integrity":[{"filename":"apis-9999.0.0.tgz","hashes":{"sha1":"16c0dd840f392da3b019d6cf4e1e885bbadfabcd","sha512_sri":"sha512-ez1OgjT45x4PMZwtSoBaEl5I3iVz3yX7ywr6rvD6vkfeZrn0uCFdmBuVfdVvXcx6F8VoQQgH3gbBGOlIlYpixQ=="}}],"evidence_files":[{"sha256":"5f890811f43dc23e9222fb1b742677bf9ac88ad699b27536b342a66d8f3c0377","tlsh":"760123794418292b1dc0b2f68172e92ed821fb0b20426918b6f942cd27558b6c13971d","path":"package.json"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}