VDB
EN

MAL-2026-10128

Malicious code in ohcm-culture-formatting (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5679f4434881406ce5af055e04a3ab7403158df3404c928a7fbc67596d0e9631) ohcm-culture-formatting@5.0.0 declares a preinstall hook (`"preinstall": "node index.js"`) that auto-executes on `npm install`. index.js uses `child_process.exec` to run a shell pipeline that reads `/etc/passwd`, `/etc/hosts`, `/etc/shadow`, and `id` output, base64-encodes the concatenation, and POSTs it via curl to `http://d98fu4tmls2g936th9qgfxje1qj9g91a6.oast.fun/ohcm-culture-formatting/$(whoami)/$(hostname)/`, embedding the installer's username and hostname in the URL path and the file contents in the User-Agent header. The destination is an Interactsh/OAST out-of-band interaction collector. The package name mimics an internal ADP/Lifion (`ohcm-*`) namespace and the description string is `Lifion host`, consistent with a dependency-confusion payload targeting that internal namespace.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / ohcm-culture-formatting

No fixed version published yet for ohcm-culture-formatting (npm). Pin to a known-safe version or switch to an alternative.

참고