-= Per source details. Do not edit below this line.=-
On npm install, the package executes a preinstall hook (package.json "preinstall": "node index.js || true") that runs index.js, which performs a DNS resolution and HTTPS GET to a hardcoded interactsh/oast.me subdomain (d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me). Each install leaks the resolver IP, public egress IP, hostname-derived identifier, and install timestamp to a third-party out-of-band interaction server. The package's own metadata states it is a dependency-confusion proof-of-concept squatting an internal Ubiquiti namespace; any build system that resolves this name from the public registry instead of the intended private registry will silently run the beacon. Regardless of the author's stated research intent, the install-time network I/O to an attacker-controlled OOB host is the canonical dependency-confusion exploitation primitive and exfiltrates installer-side network/identity data.
The OpenSSF Package Analysis project identified 'encrypted-archive' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"source": "ossf-package-analysis",
"import_time": "2026-06-06T19:34:10.14005191Z",
"sha256": "13428a6cdcd4736d3f044dd6a580724699318155a1c1e283b586b9a4c3ab6295",
"versions": [
"99.0.0"
],
"modified_time": "2026-06-06T19:29:29Z"
},
{
"id": "IN-MAL-2026-005317",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:58.022044354Z",
"sha256": "f291327983b20a3a12bd0b0b5e7fcbd0b81034402c97da2921cbe8fff14f7fd8",
"versions": [
"0.0.2-security-research"
],
"modified_time": "2026-06-10T23:35:18Z"
},
{
"id": "IN-MAL-2026-005316",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:57.93525986Z",
"sha256": "c60d89261c09dc6eaea0a3af26af55519421cb927a1b8183009d09b2d4e99b94",
"versions": [
"0.0.2-security-research"
],
"modified_time": "2026-06-10T23:35:17Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/encrypted-archive/MAL-2026-5286.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "encrypted-archive-0.0.2-security-research.tgz",
"hashes": {
"sha512_sri": "sha512-NvFPVGUysChXjyH1vYUjgzb91wRo1dHUbYYVPumbB49ChLL/lro+3wSYQWkXlOvB8YvNGvc2WxEqKR6ss/5F4g==",
"sha1": "06a0da8976094f8a6a66871c9039835fcd9ca658"
}
}
],
"domains": [
"encrypted-archive.d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me",
"d8hjn6ap4rnta9vj5ve0jk11seb4k3kci.oast.me"
],
"evidence_files": [
{
"path": "index.js",
"sha256": "e448b5cb0d2b6378be4ae31021ee2fa89f1613ba41b03c2291d2dc47b07ff812",
"tlsh": "aed0c2ad2ba0da1c5fa2c5c0f4a8a81e905393483581805165890974098a37659a4dd0"
},
{
"path": "package.json",
"sha256": "b3ee52b5df201bfc206859480845be220ff8804055b4e337f6f55baed2df112c",
"tlsh": "77e02b692c24483326f141e51831a44db124c80b5892be1cb6e3054c731de6645760ce"
}
]
}