-= Per source details. Do not edit below this line.=-
The package declares preinstall: node index.js, which runs automatically on npm install. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes whoami and id via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56. The package name api-changelly impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private changelly-family dependency to this public package.
{
"malicious-packages-origins": [
{
"sha256": "a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c",
"id": "IN-MAL-2026-009757",
"import_time": "2026-07-12T20:48:33.549270104Z",
"modified_time": "2026-07-12T20:46:51Z",
"versions": [
"19.2.11"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "api-changelly-19.2.11.tgz",
"hashes": {
"sha512_sri": "sha512-Kd9Th2X8xB5P4IhMYp+jrYxIMhuoJOuTA47rFLhR7PWaj6IdsWH3iEH70QkwuGoE1xSmPBsraU0UF1Z90xQLzw==",
"sha1": "ab3085ad2a1819a7692f77c63ca919d9f36893ba"
}
}
],
"evidence_files": [
{
"sha256": "9da89e1cfd4a5fadc51e63f0064bb3535e4f21f82572f4de2e82e9e88d29f965",
"tlsh": "755141c515fa56241ba7b8494a4f9002a327e0033905de55bfcc8740af9937c97f0bf2",
"path": "index.js"
},
{
"sha256": "b923d6ac85d73e151c9f6522c7eabefff93802dc070710f8828f08dc0ead2adf",
"tlsh": "56d0a7748e21553369c502624c2ba44772b19f6f14147c0463df592d52ce67798ff30d",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/api-changelly/MAL-2026-10200.json"