-= Per source details. Do not edit below this line.=-
Package @leviosa86com/leviosa86-test@5.999.0 ships src/poc/index.js which shells out via child_process.exec to collect host identifiers (hostname, pwd, whoami) and the installer's public IP (curl https://ifconfig.me), then concatenates the collected data into a subdomain label and triggers a DNS lookup (nslookup) against a unique subdomain of oast.site (a d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site Interactsh out-of-band interaction server), exfiltrating host recon over DNS to an attacker-controlled OAST endpoint. package.json declares preinstall: node index.js; a root index.js is not present in the tarball, so the default install may no-op, but the shipped src/poc/index.js payload is unambiguous exfiltration recon and the package name/version shape (@leviosa86com/leviosa86-test@5.999.0, a very high version) matches a namespace-squat / dependency-confusion attempt targeting a private @leviosa86com scope.
The OpenSSF Package Analysis project identified '@leviosa86com/leviosa86-test' @ 6.2.1 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T03:26:07Z",
"versions": [
"6.2.1"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010602",
"sha256": "13b01aa531b313ead73acfb41f17766937649e9a3036694802aa53ff7d16f4a9",
"import_time": "2026-07-15T04:32:05.371496258Z"
},
{
"modified_time": "2026-07-15T03:25:58Z",
"versions": [
"6.0.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010601",
"sha256": "27e1ac5cd072c9307baa60fafce25dda228f1f5d8108e37ba1824da8ddd71f14",
"import_time": "2026-07-15T04:32:05.224151594Z"
},
{
"id": "IN-MAL-2026-010600",
"versions": [
"4.999.0"
],
"modified_time": "2026-07-15T03:25:51Z",
"source": "amazon-inspector",
"sha256": "3db0b116d212c45c320013968a82a31680729be8821b7069bbc0540b016ce542",
"import_time": "2026-07-15T04:32:05.107284853Z"
},
{
"source": "amazon-inspector",
"versions": [
"5.999.0"
],
"sha256": "96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979",
"id": "IN-MAL-2026-010603",
"modified_time": "2026-07-15T03:26:16Z",
"import_time": "2026-07-15T04:32:05.475516389Z"
},
{
"modified_time": "2026-07-15T02:11:09Z",
"versions": [
"6.2.1"
],
"source": "ossf-package-analysis",
"sha256": "bd27813c19849691d4281fa9d708aee4d3d5136d7178c4d2d3280a5226793e28",
"import_time": "2026-07-15T07:40:14.520070394Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "leviosa86-test-6.2.1.tgz",
"hashes": {
"sha512_sri": "sha512-LzB8MuC/rvy6Wy1md4XHP8o5gMHosAABNzCwFzoNi4RanNDICTjchwb/0nf+TeyRxKDR+z/GjB6TX1jnj3s16w==",
"sha1": "5cd1acc4aeb9b1d2d21aee318db8adfee1d01fad"
}
}
],
"evidence_files": [
{
"path": "src/poc/index.js",
"sha256": "a93d55cd8499780045f07b664b09d0eabe89dbf77b4e5e963c92d8572ca33290",
"tlsh": "bce0abc47aae1437b3c010819e31200bfe83db6a1ab1d8a4e20981763448b84b0a51e2"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@leviosa86com/leviosa86-test/MAL-2026-10625.json"