OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5351 confirms this npm version as malicious. **Note:** *This report is updated by a verification record*
Advisory
MAL-2026-5351
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @demica/shared (npm)
Details
**Note:** *This report is updated by a verification record*
Dep-confusion squat of internal @demica/shared at sentinel high version 99.99.100 + auto-exec postinstall (canary.js) beaconing to RAW IP 157.230.17.236:80/dc. Sentinel-high-version + auto-exec beacon = MALICIOUS per operator policy (c913); "authorized canary" framing does NOT downgrade, raw-IP dest matches masterkrweb. 6-pkg @demica canary campaign.
---
## Source: amazon-inspector (becb5aca9f28fbd99a4f45ed70489960879ba81cfbd2071648c98cf5e867d8f9) On install, the package's postinstall hook (`node canary.js postinstall` per package.json) issues an unconditional HTTP GET to bare IP 157.230.17.236:80 at path `/dc` with query params containing the package name, version, a nonce, and the lifecycle phase. No environment variables, filesystem contents, or credentials are read or transmitted; the payload is limited to package metadata. The README describes this as an authorized dependency-confusion canary against the @demica scope. The fact-of-install ping is otherwise benign, but it performs unconsented outbound network at install time, the destination is a bare IP over cleartext HTTP with no authentication or pinning, and the same postinstall hook is a position from which a future republish could deliver arbitrary payloads. Routing to human review so the @demica organization can confirm the canary is theirs and that the destination IP is operator-controlled.
Decision reason
OpenSSF Malicious Packages via OSV confirms @demica/shared@99.99.99 as malicious (MAL-2026-5351): Malicious code in @demica/shared (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory