-= Per source details. Do not edit below this line.=-
The package's postinstall hook auto-executes index.js on npm install. The script collects the installer's OS username (os.userInfo()), current working directory (process.cwd()), and external IPv4 address from network interfaces, then POSTs them as JSON to a hardcoded interactsh out-of-band collector at dodwqvexnkotaavogofbj9kjz5pltcu7b.oast.fun/receive-data. The package name mimics MercadoLibre's internal 'fury/andes-ui' naming convention and is published at version 99.9.5 to force resolution over any legitimate internal package with the same name — the standard dependency-confusion attack shape. The package ships no library functionality matching its name; its only effect on install is the identity beacon.
{
"malicious-packages-origins": [
{
"versions": [
"99.9.5"
],
"id": "IN-MAL-2026-009396",
"import_time": "2026-07-09T21:03:50.781166041Z",
"modified_time": "2026-07-09T20:40:26Z",
"sha256": "29bea4f118854efa6568545722d7210a76e06e64cad4036e0cc0b45c45aafe37",
"source": "amazon-inspector"
},
{
"versions": [
"99.9.6"
],
"id": "IN-MAL-2026-009612",
"import_time": "2026-07-10T15:23:37.003792875Z",
"sha256": "b1aefe94fdc715e7ebd113a5ee7389e98dac714fdeae3df64fc0168d60325319",
"modified_time": "2026-07-10T15:18:00Z",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "fury_frontend-andes-ui-99.9.5.tgz",
"hashes": {
"sha512_sri": "sha512-0bLkiPOsPNw1i5rFLin1fkul5fmZ7HoetDDhFp4EBUUfYIBsenXWsWrC5L8w4f+EEUslRItgGT7v7rASY9rzMw==",
"sha1": "065e4280136fb4c7c6a1c5dfeec4dce69dc96f87"
}
}
],
"evidence_files": [
{
"sha256": "7bc8f8d3dfd900f28b5d7bff66f0985294a2a9e4048152f776f7e224c8ebf58c",
"tlsh": "5031109465f6611046b658d8108f88193529f003325edfc0fbed43d0afc6578e9b2edd",
"path": "index.js"
},
{
"sha256": "808cf8d0f187084f88a685dfe6b07f948533e94c046c313a4b7ac075a6a69a30",
"tlsh": "bbd0a7745c315a3378d456e60966640bb5619d1b0114780d5793245c92dea3748fd60f",
"path": "package.json"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fury_frontend-andes-ui/MAL-2026-10095.json"