-= Per source details. Do not edit below this line.=-
cppt-common@13.1.1 declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js collects host and user identifiers — os.hostname(), os.userInfo(), the output of whoami and id via child_process.exec, platform/arch/memory, cwd, homedir, and shell — and POSTs the collected JSON to a hardcoded endpoint at https://mj9yg25wm8m4vnkrrok8lwcogfm6awyl.oastify.com/detox56. The oastify.com host is a Burp Collaborator out-of-band callback domain used for exfiltration. The package has empty description and author fields and provides no advertised functionality; its only install-time effect is the reconnaissance beacon.
{
"malicious-packages-origins": [
{
"import_time": "2026-07-14T22:23:33.989917199Z",
"sha256": "484688d5963a9246f4fe7a2b5c1c7ebe6bba135a2a5df66b3ab57f44978407b2",
"modified_time": "2026-07-14T22:16:11Z",
"versions": [
"13.1.1"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010586"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "cppt-common-13.1.1.tgz",
"hashes": {
"sha1": "6926be77c70dcd4805f548de0a7fec56af6cb0ce",
"sha512_sri": "sha512-h6DYfs4IBJJeS2F2R/6nz51WopJxZ6XmNx0WUNnmgAj9hVcns8V3Yi/JDYwuCisngbG5vnyoWAs4L/2kfrGtaQ=="
}
}
],
"evidence_files": [
{
"tlsh": "955131c515f659251ba7b8494a0f9402a327e0033505de55bfcc8740af9936c9bf0bf6",
"sha256": "0b11f117bb21140a7a6f707d67f5d82960593281ee144ee4112b6fe1617851d8",
"path": "index.js"
},
{
"tlsh": "9dd05e345e51652329c50692082ea44662a18f2f09543809a7cb683c92de6779cff31d",
"sha256": "875c76abf1a9c2ad33739f117fe50f13447905ca1c2f3229f70e23af60df3d6c",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cppt-common/MAL-2026-10632.json"