-= Per source details. Do not edit below this line.=-
leviosa86-test@4.999.0 ships src/poc/index.js which uses child_process.exec to run a shell pipeline that collects host reconnaissance data (hostname, current working directory, whoami, a package identifier) and the public egress IP fetched from https://ifconfig.me, concatenates the values, and exfiltrates them via nslookup as a subdomain label of d9bd62bu6g119svvav70o3p9tymtrxkoj.oast.site — an Interactsh (project-discovery) out-of-band callback domain. The generic package name combined with the anomalous 4.999.0 version bump is the canonical dependency-confusion research/attack shape, where a high version number is published to a public registry to override a private internal package and cause the recon payload to fire in the victim's build.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010599",
"import_time": "2026-07-15T04:32:05.00816516Z",
"sha256": "46b0bed6337ffe527af2615fed8ae1ecbb449f6a6cb00afa6381f7811ec88956",
"versions": [
"4.999.0"
],
"modified_time": "2026-07-15T03:25:43Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/leviosa86-test/MAL-2026-10636.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "leviosa86-test-4.999.0.tgz",
"hashes": {
"sha512_sri": "sha512-8msHxrXPskhL8RymsF9e8lHFXs9+kiHTFPcv+ue8gf6M4m4EUp4o5pACH4IR1rsamGamlDHFUShMgDySu3i6TA==",
"sha1": "27f0faa2ac3e04da498c6b08e0eb61625e1fb7fd"
}
}
],
"evidence_files": [
{
"path": "src/poc/index.js",
"sha256": "a93d55cd8499780045f07b664b09d0eabe89dbf77b4e5e963c92d8572ca33290",
"tlsh": "bce0abc47aae1437b3c010819e31200bfe83db6a1ab1d8a4e20981763448b84b0a51e2"
}
]
}