MAL-2026-10183

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fkext-browser-min/MAL-2026-10183.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10183
Published
2026-07-10T22:43:30Z
Modified
2026-07-10T23:01:53.599676029Z
Summary
Malicious code in fkext-browser-min (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c)

The package runs vishu.js as a preinstall lifecycle hook on npm install. That script fetches the machine's public IP from api.ipify.org, collects os.hostname() and GitHub Actions / CI environment variables (GITHUB_*), and transmits them as query parameters to a hardcoded webhook.site collector URL over HTTPS. It additionally performs a DNS lookup of a subdomain of the form ping-<hostname>.<collaborator>.oastify.com, providing an out-of-band exfiltration channel (Burp Collaborator style) that bypasses HTTP egress filters. There is no legitimate functionality shipped alongside this — the package's only install-time effect is host reconnaissance and beacon-out to attacker-controlled sinks. This is a dependency-confusion / bug-bounty-style beacon against installer/CI environments.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "1e56088bc1216133ce76ad6026b73c2fd6977f9c64ec1c2ab38234dc90403b2c",
            "id": "IN-MAL-2026-009728",
            "import_time": "2026-07-10T22:50:19.244634627Z",
            "modified_time": "2026-07-10T22:43:30Z",
            "versions": [
                "1.0.14"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / fkext-browser-min

Package

Affected ranges

Affected versions

1.*
1.0.14

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "fkext-browser-min-1.0.14.tgz",
            "hashes": {
                "sha512_sri": "sha512-F5c2Lb6QIXFu+3ldBEdQ3gOZ9b+aOHDYbx8cXRSCgQAmPyrNjZRoHMHL7ZOJY+CeS20rE+Z4rFKAbE+U4hNAWg==",
                "sha1": "956d600ab58369d4f8abe1eb7b363df2092d4b65"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "7831104db2f7551004f263c8561b951e715be1533325dda1799c02521faad3c82e3bd8",
            "sha256": "148b5be8544f83525c7442f450050b49d7bb467ee17d3b5df9d23c4f39663f8c",
            "path": "vishu.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fkext-browser-min/MAL-2026-10183.json"