-= Per source details. Do not edit below this line.=-
Package dl-pp-latm@80.4.2 registers both preinstall and postinstall lifecycle hooks that run index.js, which collects installer machine identifiers — os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), current working directory, and the full package.json — and transmits them via HTTPS POST and DNS lookup to an Interactsh-style subdomain 'bvfmpadujgjgmbtzeibiikzijuhmtd2rs.oast.fun'. The package name pattern and 'Internal App bUg b0UntY gollum22' description match a dependency-confusion probe targeting internal/private package names; any developer workstation or CI system that resolves this package leaks internal hostnames, usernames, and DNS configuration to a third-party OOB collector. This fires automatically on npm install without user interaction.
{
"malicious-packages-origins": [
{
"sha256": "e21f1adb71c41838848c4d4292830a9738895d32a5b0f1f098e1efdadb233716",
"id": "IN-MAL-2026-009375",
"source": "amazon-inspector",
"import_time": "2026-07-09T17:19:30.80729264Z",
"modified_time": "2026-07-09T17:03:02Z",
"versions": [
"80.4.2"
]
}
]
}{
"package_integrity": [
{
"filename": "dl-pp-latm-80.4.2.tgz",
"hashes": {
"sha1": "2f08415098c1c436a3363ea25a98089761373f10",
"sha512_sri": "sha512-GErY71T3aJhA/iN4e7dhhAGjya+YmNbs+frbPQiFHkwUsODwz1w8ptwtZB1xnh6QnMxsOH6u9aXsbn7w29SVVA=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "b7413398445163608eb187d86911d40af6a6eb7731c487a5f9fe47c02fb36b420b2dbc",
"sha256": "372af57e73c6d36ea2deb9fcafe7469c3a09849ef18e9ff2b894ba8e8cca425b"
},
{
"path": "package.json",
"tlsh": "e7e026324c361a2329b006aa887ba956b2a08f3f10349c17b1bf092c91e323198de30d",
"sha256": "21ff6f483981c8d7a11d2d40faae6c89704891f1886f493a50afb0aa93ae6d93"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dl-pp-latm/MAL-2026-10086.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]