-= Per source details. Do not edit below this line.=-
The package declares a preinstall hook (node index.js) that runs automatically on npm install. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, whoami, id, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name giantswarm impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private @giantswarm/* scopes.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "75f3a244f2761c56347f695897a491d23ab04cafe1e5b0e46fd7d0d2c993f828",
"modified_time": "2026-07-12T20:47:05Z",
"import_time": "2026-07-12T20:48:33.592158351Z",
"id": "IN-MAL-2026-009758",
"versions": [
"22.0.1"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/giantswarm/MAL-2026-10203.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "giantswarm-22.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-HiN5slo29jCjLaDsrVkHLWMOLGODPXPPfGCDV9Gjr6R/GG1CVwrGoG6/ppxxe7qSY/L30FGL60EM3Shsh1kK7w==",
"sha1": "a0a230d2566d59eb7ba261e854f38f8ba4ae5666"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "3c3a2ebdbdc414aac7ddf6ee6fbfd0fdd4a1320c180231c5f760e7f605c3644b",
"tlsh": "4f5150d515f65a251b67b8494a4f9402a327e0033509de55bfcc8340af9537c9bf0bf2"
},
{
"path": "package.json",
"sha256": "6835a2008f27ae6cb55a7fbd681dc344257350dc23f4098ce08fbae07b258581",
"tlsh": "7ed05e244d21552325c102924c2a9446b2618e2b04147c08678b182c818e67798ff31c"
}
]
}