-= Per source details. Do not edit below this line.=-
package.json declares a preinstall: node index.js hook that fires automatically on npm install. index.js collects installer-side data — os.hostname(), os.userInfo(), home directory, DNS server configuration, the contents of /etc/passwd and /etc/hosts, and the contents of the consumer's package.json — then HTTPS POSTs the assembled JSON to f3js0y9srl22itqjffo9jbl8mzswgm4b.oastify.com, an attacker-controlled Burp Collaborator subdomain. The package's advertised purpose (an OAuth helper) bears no relationship to reading /etc/passwd or beaconing host identifiers off-machine. This is a reconnaissance / dependency-confusion exfiltration payload that runs unattended on every installer.
{
"malicious-packages-origins": [
{
"versions": [
"2.0.1"
],
"import_time": "2024-06-28T02:44:12.934484377Z",
"modified_time": "2024-06-25T12:53:40Z",
"id": "RLMA-2024-01484",
"sha256": "58cdf77b0ce849d87a73b7b742c549d96a0e74a5083bbd5e7052cec96dcd6f75",
"source": "reversing-labs"
},
{
"import_time": "2024-10-24T00:58:08.729509642Z",
"modified_time": "2024-10-16T13:08:36Z",
"id": "RLUA-2024-07004",
"sha256": "e9e13b3242147d53e64ad60318a7ab4e3dcf782f750149928912d60a5b8961cf",
"source": "reversing-labs"
},
{
"versions": [
"0.1.1"
],
"import_time": "2026-06-23T22:31:28.726727113Z",
"modified_time": "2026-06-23T22:25:41Z",
"id": "IN-MAL-2026-007390",
"sha256": "b49c48193ba50bb4ead1e212925eab8873e7e4ad7fa834d41e7626bb4e5036f3",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oauth-connect/MAL-2024-2779.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "oauth-connect-0.1.1.tgz",
"hashes": {
"sha1": "c723bfe3fe202419a53e270b6f97007d59592ae4",
"sha512_sri": "sha512-VrJwoZPHzVKjz7CxEzkTDDSmYA0Z7GP+hh/vSTp648nBdkrarpTret3TgkTTKVLbqKOl78zYb4ltmcDuo71i7g=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "b98e6327b15b5885a437db2baa282eb78a85ff62c75a6a91dde7160ddd21ebb7",
"tlsh": "3c411395a2c917330dd210c06a0c70812359fa767259a9d076cf42969f869f8b7326f3"
}
]
}