MAL-2026-3647

haswons is a typosquatting package impersonating hasown, the utility for checking whether an object has a direct own property. The package bundles the legitimate hasown source to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall script. It is part of a campaign that also includes briantreehttp, dit-envv, and erslove, all sharing an identical payload and C2 infrastructure.

The payload collects hostname, platform, architecture, Node.js version, UID, current working directory, all environment variables, AWS credentials (~/.aws/credentials, ~/.aws/config), npm tokens from .npmrc files (root, home, and working directory), Docker config (~/.docker/config.json), git config, .netrc, yarn config, npm global config, directory listings of the working directory, home, filesystem root, and /etc, network configuration files (/etc/resolv.conf, /etc/hosts, /proc/net/route), and AWS ECS/EC2 instance metadata from internal endpoints. All collected data is base64-encoded and exfiltrated via HTTPS POST to reportviewer.click/collect/. A secondary DNS-based exfiltration channel encodes environment variables into a subdomain and issues a request to dns.reportviewer.click.