-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js, which fires automatically on npm install. index.js loads child_process/os/https, runs whoami and id, collects host identifiers (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, os.type, os.release, process.cwd), and POSTs the collected JSON to a hardcoded Burp Collaborator (OAST) subdomain at https://3quc59n15cfcretszaygwfm9v01rphd6.oastify.com/detox56. The package ships no functional code beyond this beacon, has empty description/author, and is published under the @broadpeak scope — consistent with dependency-confusion reconnaissance impersonating an internal Broadpeak package. Installing this package leaks installer host/user identifiers to an attacker-controlled out-of-band endpoint and confirms code execution inside the target's build environment for follow-up targeting.
{
"malicious-packages-origins": [
{
"sha256": "45df33d93645560085a7efe94308b0e3d846f30c829f2d2804bcdb1245626289",
"id": "IN-MAL-2026-009727",
"import_time": "2026-07-10T22:50:19.092147104Z",
"modified_time": "2026-07-10T22:43:23Z",
"versions": [
"24.1.10"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "8f8c3fdb9d25887f5261526b88affa83cedc58dfcdd4658d238ab1c27dc0a4f6",
"tlsh": "24515fc505f69a291ba7b8494a4f9402b227e0033646de55bfcc8740af9537c9bf0bf2",
"path": "index.js"
},
{
"tlsh": "a2d05e344e21553339c22692182aa5467661cf2f04047c0563db582d518e27798ff71d",
"sha256": "03bf1a4818f0ed90787664df6f821dc0b5418660e2469707e9ab7a188309af63",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "smartlib-ad-24.1.10.tgz",
"hashes": {
"sha512_sri": "sha512-XSRl5W1xCuzJxQB6YcUlkQnxtUCXLoKPw+jT24b4YE5NYNYQ0B+gUHSfuyrRW/TasUS1dEJOCspYugPuhof/SA==",
"sha1": "aab1dfbc34385f7f35ea3e784362860817786a8a"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@broadpeak/smartlib-ad/MAL-2026-10178.json"