-= Per source details. Do not edit below this line.=-
Package declares a preinstall script (node./index.js) that fires automatically on npm install. The executed index.js issues an HTTP GET to a Burp-Collaborator-style subdomain at 85324cf9ac5145428803ea[...].collaborator.zivyelab.com/hello01?test=01. This confirms code execution on the installer's machine and a DNS/HTTP callback to a non-first-party host on every install, leaking host and network reachability information. The pattern is consistent with a dependency-confusion probe; regardless of stated intent, it executes on any installer and beacons to a third-party collaborator endpoint.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T11:30:22Z",
"sha256": "db44619df34ccbffa5747f17c8135602583a781ec01f8d3c03e0f828157e944c",
"versions": [
"1.0.5"
],
"import_time": "2026-07-15T11:33:40.326746497Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010677"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "ls-env-config-1.0.5.tgz",
"hashes": {
"sha1": "9625d3efc307005c9d0f777c59545c16a00b9cfb",
"sha512_sri": "sha512-8//Iv8ey6Q3Rw5YP6vGUyyIOLgivceT1xWVcw878XP7ZMSUot+b3nHWOjjpyAB6Qdiw4CO/ZIui+JBiz6t1/aQ=="
}
}
],
"evidence_files": [
{
"tlsh": "12b0123cc287660ad971704091bc0156910c4943c9c2d1e337652dab39566610de06f0",
"sha256": "e3ec83c7a3415ebc86e382f518496f6d6b6336e7f89c33bebb1ea6e29a22ffbb",
"path": "index.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ls-env-config/MAL-2026-10678.json"