MAL-2026-10128
Malicious code in ohcm-culture-formatting (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631) ohcm-culture-formatting@5.0.0 declares a preinstall hook (`"preinstall": "node index.js"`) that auto-executes on `npm install`. index.js uses `child_process.exec` to run a shell pipeline that reads `/etc/passwd`, `/etc/hosts`, `/etc/shadow`, and `id` output, base64-encodes the concatenation, and POSTs it via curl to `http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/`, embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion (`ohcm-*`) namespace and the description string is `Lifion host`, consistent with a dependency-confusion payload targeting that internal namespace.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for ohcm-culture-formatting (npm). Pin to a known-safe version or switch to an alternative.