-= Per source details. Do not edit below this line.=-
package.json declares scripts.preinstall: node index.js, causing index.js to run automatically during npm install. index.js collects os.hostname(), os.userInfo().username, os.homedir(), dns.getServers(), the current working directory, and the contents of package.json, then POSTs the payload over HTTPS to https://eo1e4fhn1i67p8r.m.pipedream.net. The same beacon is duplicated in ai/index.js, which is exposed through the package's exports map as ./ai, so require('@qlab/ui/ai') re-fires the POST at import time. The combination of preinstall lifecycle execution, an attacker-controlled webhook endpoint, and harvesting of installer host/user/DNS/package metadata is a dependency-confusion reconnaissance beacon targeting the @qlab scope. Installers are the direct victims: simply running npm install ships their machine identity to the attacker.
The OpenSSF Package Analysis project identified '@qlab/ui' @ 2.0.6 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"modified_time": "2026-05-28T19:35:41Z",
"source": "ossf-package-analysis",
"import_time": "2026-05-28T20:18:24.608774983Z",
"versions": [
"2.0.6"
],
"sha256": "6202e241f53fd8e0b248f81b951077a67feef0f070b93c57b148d120cc70e69b"
},
{
"modified_time": "2026-06-11T12:56:31Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T13:27:20.506390319Z",
"id": "IN-MAL-2026-005729",
"versions": [
"2.0.6"
],
"sha256": "5a45152f64a2ace337189e6bb3ec837b200b092f3afce5edf20a968518f7abef"
},
{
"modified_time": "2026-06-11T12:56:31Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T13:27:20.458677901Z",
"versions": [
"2.0.6"
],
"id": "IN-MAL-2026-005728",
"sha256": "1b7872b498f71081087798b86ec67dd7fc33ab268d9b36de04b7d5d2b2698205"
}
]
}{
"package_integrity": [
{
"filename": "ui-2.0.6.tgz",
"hashes": {
"sha1": "fa982a4f89f5728a4f4cddebbd579bcce976a3d3",
"sha512_sri": "sha512-kHAlh8CAeC45vnj4/iFx9sPynRZcaxX7C/SOus+/E8k1rUEkuZv1xKq+JgyFtTHTmm0+ObdQ1d10W4EqpvVOag=="
}
}
],
"domains": [
"eo1e4fhn1i67p8r.m.pipedream.net"
],
"evidence_files": [
{
"sha256": "a7e18272aee814e3f4f821b4b911ff6586a8ee7170087ebdb52d99f61d0e789a",
"path": "index.js",
"tlsh": "8811afd885e123600d7645c47899d00916aad737790e6ddcf5cc06d04f89abd60b3af5"
},
{
"tlsh": "c511afd885e123600d7645d47899900916aad737790e6ddcf5cc06d04f89abd60b3af5",
"path": "ai/index.js",
"sha256": "9e2d1a7590d6c1b987443fcabb878cf37f77ba485fb88c325bd89f0a614ad727"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@qlab/ui/MAL-2026-4860.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]