-= Per source details. Do not edit below this line.=-
package.json declares preinstall: node index.js. On npm install, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out whoami and (non-Windows) id via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.
{
"malicious-packages-origins": [
{
"versions": [
"25.2.1"
],
"id": "IN-MAL-2026-009759",
"import_time": "2026-07-12T20:48:33.642381506Z",
"modified_time": "2026-07-12T20:47:17Z",
"sha256": "28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "library-explorer-25.2.1.tgz",
"hashes": {
"sha512_sri": "sha512-pPRZb0SmChegNahUt4gyhtmrWHrwdyp+8MUM8WVJ/XNW76huybrE8o7u4k/JOqVNlxWMwjMlsIyJYJUP7hb50A==",
"sha1": "be274220fdd450b1cc65896fd7c2629df819ad7c"
}
}
],
"evidence_files": [
{
"tlsh": "ca5130c515f655241b67a8494a4f9402a327e0033509de55bfcc8340af8937c97f0bf6",
"sha256": "4a33f8f2706676a92ea4c159f5cfb4253b36da86d2bb5672809e6419f554702b",
"path": "index.js"
},
{
"sha256": "21f6e3dffa7719b18e1eb0968fe4d98328260c493183d7ccc627e1dac3f4b430",
"tlsh": "64d05e244e21553365c10252082b958672628e2b04043c08a7db182c61ce27b98ff35d",
"path": "package.json"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/library-explorer/MAL-2026-10205.json"