-= Per source details. Do not edit below this line.=-
package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js requires os/fs/https, then collects host identifiers and installer-side files — __dirname, os.homedir(), os.hostname(), os.userInfo(), DNS servers, the full contents of /etc/passwd and /etc/hosts, and the package.json — and POSTs them over HTTPS to xqrangwae3pk5bd12xbr6t8q9hfc32rr.oastify.com (a Burp Collaborator OAST subdomain). The package name 'afterpay-sdk-example-server' impersonates an internal Afterpay SDK example, consistent with a dependency-confusion payload targeting Afterpay's internal build systems. Whether published as research or attack, any installer running npm install leaks system account data and host fingerprints to an attacker-controlled out-of-band collection endpoint.
The OpenSSF Package Analysis project identified 'afterpay-sdk-example-server' @ 20.0.0 (npm) as malicious.
It is considered malicious because: - The package communicates with a domain associated with malicious activity.
{
"malicious-packages-origins": [
{
"modified_time": "2023-05-03T01:37:43.254364445Z",
"source": "ossf-package-analysis",
"import_time": "2023-08-10T06:15:34.688464725Z",
"sha256": "555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c",
"versions": [
"20.0.0"
]
},
{
"sha256": "328b2a8f94905ee0b2cc82dfaf2bc08b91fc054f442ec204ff09f65a419a7167",
"id": "RLMA-2024-00311",
"source": "reversing-labs",
"import_time": "2024-06-28T02:41:50.31797239Z",
"modified_time": "2024-06-25T12:25:05Z",
"versions": [
"20.0.0"
]
},
{
"sha256": "a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7",
"id": "IN-MAL-2026-007396",
"source": "amazon-inspector",
"import_time": "2026-06-24T03:14:01.252380856Z",
"modified_time": "2026-06-24T02:39:16Z",
"versions": [
"1.2.1"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "3a41259592c917330dd110c0660c70812359fa777259d8d076cf42d6af869f8b7316f3",
"sha256": "dda06ca44061b7a005ca1500165416d1144f6edcfc156a1063ccd5b1f5632ac1"
},
{
"path": "package.json",
"tlsh": "10d05e208e62953325c102aa0c2ba44673a18e2f14153c08a7cb192d818f67798ff35e",
"sha256": "c22ab3825f9ec804d68cb62b820cf64dbec063fd77636063e684076559ad2f0f"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/afterpay-sdk-example-server/MAL-2023-1111.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]