-= Per source details. Do not edit below this line.=-
package.json declares scripts.preinstall: node index.js. On npm install, index.js (lines 4-5) performs dns.resolve and https.get against <id>.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online, an Interactsh OAST collector. The request fires unconditionally with no opt-out, leaking the installer's egress IP, internal DNS resolver identity, and fact-of-install (with the package id encoded in the subdomain and URL path) to a third-party-controlled endpoint. The README frames this as authorized dependency-confusion research targeting Ubiquiti, but the beacon does not gate on any organizational identifier — any installer that pulls this name (typo, internal-name collision, automated mirror) sends build-system metadata to the researcher. Trigger is the preinstall lifecycle hook, so the network call fires before any code review opportunity.
The OpenSSF Package Analysis project identified 'uhd-setup' @ 99.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.0.0"
],
"sha256": "358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da",
"modified_time": "2026-06-06T19:02:40Z",
"source": "ossf-package-analysis",
"import_time": "2026-06-06T19:34:10.035644618Z"
},
{
"versions": [
"0.0.1-security-research"
],
"sha256": "7cf641e43172371f2f9c843ad0b68bad139485231e30e9ef8072197977d9f2d5",
"modified_time": "2026-06-09T20:44:09Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005244",
"import_time": "2026-06-09T20:45:59.815869001Z"
},
{
"versions": [
"0.0.1-security-research"
],
"sha256": "8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99",
"modified_time": "2026-06-09T20:44:08Z",
"source": "amazon-inspector",
"import_time": "2026-06-09T20:45:59.636747398Z",
"id": "IN-MAL-2026-005243"
}
]
}{
"package_integrity": [
{
"filename": "uhd-setup-0.0.1-security-research.tgz",
"hashes": {
"sha512_sri": "sha512-lABJRYBYdkO2B7/Rz9B/BGbBCMTcCbWkCQbs1Ma9nT8yiOWSk9EZWllD86u7jBpcxROo1ClkuUIezLDRFgtvIg==",
"sha1": "de2cb00c9af2ba56f4a5ce21f9c7d2e6d83cbd44"
}
}
],
"evidence_files": [
{
"sha256": "360abfce2267dda034c4ab35ec47909a7b4e1a299ca7a14d6112537a352e11ea",
"path": "index.js",
"tlsh": "21d0c2f923e1f27809a1a8d4d285f92e8403d00033ac9054d02846b49c83b79a8f08d0"
}
],
"domains": [
"d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online",
"uhd-setup.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uhd-setup/MAL-2026-5287.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]