-= Per source details. Do not edit below this line.=-
The package's scripts.install lifecycle hook runs node index.js, which loads lib/core.js. That module collects the installer's OS username, hostname, and current working directory basename, then encodes those values as subdomain labels of oob.sl4x0.xyz prefixed with paypal2 and issues dns.resolve4 queries against the resulting hostname, leaking the data out-of-band to the attacker's authoritative DNS server. The Node API names (os, dns, userInfo, username, hostname, cwd) and the destination domain are hidden as char-code numeric arrays reconstructed via String.fromCharCode in lib/b02e30.js and lib/6ad264.js to evade static inspection. The package is presented as generic 'enterprise utilities' but ships no functionality matching that description.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "834b886e34ea551223e9eeb30561267c93226eac960729a9a0ff6a06277c74cf",
"modified_time": "2026-07-13T17:37:46Z",
"import_time": "2026-07-13T18:10:12.475554015Z",
"id": "IN-MAL-2026-010271",
"versions": [
"9.9.11"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/connectedmerchantsserv/MAL-2026-10459.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "connectedmerchantsserv-9.9.11.tgz",
"hashes": {
"sha512_sri": "sha512-aPFh9YNaxIKaKk/ndy8Wf7vdBNCERDEfdPZCJXCL+0mPi6uLx3jNKXogAaoiY/OdpwKIiWdK5tib0w6qQACQiQ==",
"sha1": "a8ed40359888ec818a98762b3be95cb288b0f6ff"
}
}
],
"evidence_files": [
{
"path": "lib/core.js",
"sha256": "397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4",
"tlsh": "38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96"
},
{
"path": "lib/b02e30.js",
"sha256": "3daf2ec358d726df0db8f81464e0308fe7c96962198ec5f8d8878fe6334939df",
"tlsh": "9be068177347c94fa1880bf7b90060a0aa0d8f58a12dc0e6f928678500af443c0c0232"
}
]
}