-= Per source details. Do not edit below this line.=-
package.json declares a preinstall hook that runs index.js. On npm install, index.js collects host reconnaissance from the installer (os.hostname(), os.userInfo(), os.platform(), os.arch(), homedir, uid/gid, shell, plus the output of whoami, id, and cwd via child_process) and POSTs the resulting JSON to the hardcoded URL https://rmh3j781pdp9ysnwutndo1ftjkpbd31s.oastify.com/detox56. oastify.com is a Burp Suite Collaborator out-of-band interaction domain, and the unique random subdomain plus install-time host beacon is the canonical dependency-confusion / reconnaissance exfiltration shape.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T19:49:26Z",
"source": "amazon-inspector",
"import_time": "2026-07-14T20:28:24.320017687Z",
"versions": [
"15.2.0"
],
"id": "IN-MAL-2026-010554",
"sha256": "66072ca2fc20c19a01d0a2b888d90632a7d9bfdc34a2d1a71b61ad06975eae5c"
}
]
}{
"package_integrity": [
{
"filename": "smb-common-uikit-15.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-I/AO9wMK70O/46zBTpxtTYBVtr2x+8H7AW1IiYvjlNnUorPV1n9Bi/hVFufX+N3A3iuhhRXp85HxaHue1JvFsg==",
"sha1": "42724b4be447cfdfe7fb1830b2f05f739c354094"
}
}
],
"evidence_files": [
{
"tlsh": "235142c516f659241b67b8494a4f9402a327e0033545ee55bfcc8740af9937c9bf0bf6",
"path": "index.js",
"sha256": "4f59d47b9b51db3e0949a24406b7aa569946acf660c9dcd551bef4ae37a37bca"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/smb-common-uikit/MAL-2026-10615.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]