-= Per source details. Do not edit below this line.=-
Package smb-portal-uikit@18.1.1 declares a preinstall lifecycle hook that runs node index.js. On npm install, index.js invokes child_process.exec on whoami and id, reads os.hostname(), os.userInfo(), process.platform, and process.cwd(), and POSTs the collected host reconnaissance to a hardcoded attacker-controlled endpoint at https://a2dmzqok5w5seb3fac3w4kvcz35utohd.oastify.com (an oastify.com subdomain, a Burp Collaborator out-of-band interaction host commonly used as an exfiltration/beacon sink). The package ships no legitimate UI-toolkit functionality consistent with its name; the entire install-time behavior is reconnaissance and exfiltration.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010553",
"import_time": "2026-07-14T20:28:24.258746235Z",
"sha256": "395b88ae26544dcfdfca9d46294e1f0558c2e5bade88bac0eb0797d1140debbe",
"versions": [
"18.1.1"
],
"modified_time": "2026-07-14T19:49:16Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/smb-portal-uikit/MAL-2026-10616.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "smb-portal-uikit-18.1.1.tgz",
"hashes": {
"sha512_sri": "sha512-uSzNg83pCrdrEbZb/6z9qYIp9LJBfMrotzq60QgGTi7k0psR8HPoSPvAzuGTqxICKsdc2l40eMgyuqrS1lEqLA==",
"sha1": "c18f97dbb769d217300292ab2b2b2d78f7958186"
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "039886204e0e6a6b017b00be98e85a668afe8ae2328ef703b70da99a618d600b",
"tlsh": "8ed05e385e22593326c506920c2ea44b62a1cf2f15053c0a93cb183cd1dea7798ff35e"
}
]
}