The package communicates with a domain associated with malicious activity.
-= Per source details. Do not edit below this line.=-
package.json declares preinstall=node index.js, which fires automatically on npm install. index.js collects host reconnaissance — os.hostname(), os.platform()/arch, os.homedir(), os.userInfo() (username/uid/gid/shell), whoami and id shell command output via child_process.exec, OS info, and cwd — and POSTs the JSON payload to a hardcoded Burp Collaborator OAST subdomain at https://theyfiesr9w2p5moyrr9yn6lscy3mvak.oastify.com/detox56. The package name impersonates a Red Bull brand namespace, consistent with a targeted reconnaissance / dependency-confusion probe against an internal Red Bull build environment. Installer harm is concrete: every npm install of this version leaks installer identity and host fingerprint to an attacker-controlled out-of-band destination.
{
"malicious-packages-origins": [
{
"sha256": "3b5fe5829b1fbc9d863be9bad876998565a13ebc95fecc9ccc5600f92ecd423b",
"id": "IN-MAL-2026-008599",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:49.425518565Z",
"modified_time": "2026-07-08T20:34:16Z",
"versions": [
"19.2.1"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "525140c516f65a251ba7b8494a4f9002a327e0033509ee55bfcc8340af9937c9bf0bf6",
"sha256": "5ad438bc2656321332a7ab460fc3349900ad58f51ef9394cfb9a53a3b6e6703f"
},
{
"path": "i",
"tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
"sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a"
}
],
"package_integrity": [
{
"filename": "red-bull-venue-tools-19.2.1.tgz",
"hashes": {
"sha1": "c2a716b21f1feea01f6fe8180711fe10f27db350",
"sha512_sri": "sha512-hEcbw1tdo0ddRdza5P1/mrM6igy/fBX0ZZHc5dZtCDXh1CL5wVHVUHmnZjW6YeeFtuTSY3Gt55vWVK4MM0t1jQ=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/red-bull-venue-tools/MAL-2025-5455.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]