-= Per source details. Do not edit below this line.=-
The package runs vishu.js as a preinstall lifecycle hook on npm install. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form ping-<hostname>.<collaborator>.oastify.com, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.
{
"malicious-packages-origins": [
{
"sha256": "1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c",
"id": "IN-MAL-2026-009728",
"import_time": "2026-07-10T22:50:19.244634627Z",
"modified_time": "2026-07-10T22:43:30Z",
"versions": [
"1.0.14"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "fkext-browser-min-1.0.14.tgz",
"hashes": {
"sha512_sri": "sha512-F5c2Lb6QIXFu+3ldBEdQ3gOZ9b+aOHDYbx8cXRSCgQAmPyrNjZRoHMHL7ZOJY+CeS20rE+Z4rFKAbE+U4hNAWg==",
"sha1": "956d600ab58369d4f8abe1eb7b363df2092d4b65"
}
}
],
"evidence_files": [
{
"tlsh": "7831104db2f7551004f263c8561b951e715be1533325dda1799c02521faad3c82e3bd8",
"sha256": "148b5be8544f83525c7442f450050b49d7bb467ee17d3b5df9d23c4f39663f8c",
"path": "vishu.js"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fkext-browser-min/MAL-2026-10183.json"