-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (node index.js) collects host and user identity data — os.hostname(), os.userInfo().username, __dirname, process.cwd(), pid, node version, platform, and architecture — and ships them to two attacker-controlled destinations: (a) an HTTP POST to a bare IP http://172.201.213.59:9090/cb/klapp-about-routes carrying the collected fields as JSON, and (b) a hex-encoded DNS lookup to *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (interactsh out-of-band callback). The package name @klapp-about/routes and the unusually high version 99.0.0 are the canonical shape of a dependency-confusion attack — an internal-looking scope published to public npm at a version high enough to override a private resolver. Self-description as a 'security research / dependency-confusion PoC' does not change installer-side impact: any developer or CI system that misroutes installs to the public registry has their machine fingerprint shipped to the hardcoded IP and DNS callback service without consent.
{
"malicious-packages-origins": [
{
"sha256": "3a89d8d92c1d5303d17c64a14353dfd86d738d620129a830af3684b6ab2e2167",
"id": "IN-MAL-2026-005097",
"import_time": "2026-06-09T17:45:54.508315496Z",
"modified_time": "2026-06-09T17:40:05Z",
"versions": [
"99.0.1"
],
"source": "amazon-inspector"
},
{
"sha256": "99d2936e8940c6e62254cb8aefb5220dad856de80e50243788f3282e17035c10",
"id": "IN-MAL-2026-005074",
"import_time": "2026-06-09T17:45:52.935484151Z",
"modified_time": "2026-06-09T17:35:19Z",
"versions": [
"99.0.2"
],
"source": "amazon-inspector"
},
{
"sha256": "dd5d030db916b2c1fcac6ca8ebaa5415eae8a32ad67a5104b78a17d535111a10",
"id": "IN-MAL-2026-005073",
"import_time": "2026-06-09T17:45:52.886613792Z",
"modified_time": "2026-06-09T17:35:19Z",
"versions": [
"99.0.2"
],
"source": "amazon-inspector"
},
{
"sha256": "fbc76fb74ca69f4553d9ffdb5b337805879b2a9d689fef836fb3b23e18a34482",
"id": "IN-MAL-2026-005098",
"import_time": "2026-06-09T17:45:54.579342445Z",
"modified_time": "2026-06-09T17:40:06Z",
"versions": [
"99.0.1"
],
"source": "amazon-inspector"
},
{
"sha256": "715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875",
"id": "IN-MAL-2026-005138",
"import_time": "2026-06-09T18:50:18.788106852Z",
"modified_time": "2026-06-09T17:52:45Z",
"versions": [
"99.0.0"
],
"source": "amazon-inspector"
},
{
"versions": [
"99.0.0"
],
"id": "IN-MAL-2026-005139",
"modified_time": "2026-06-09T17:52:46Z",
"sha256": "d37bd4622a778532f5476c87ebbe915d7d07d5ae30bf817d52ebdad17154c789",
"import_time": "2026-06-09T18:50:18.853693386Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "bff0e1d112b0e0584b7154d0eaaba9451373c6127002c8f0ec8d07ce1fc69e0ccb35e6",
"sha256": "cab3a2defa8489a4f078f69b759a16eb5354512c53b99509db67bbeb8e30b814",
"path": "index.js"
},
{
"tlsh": "fcd0a7745c34503314d592b60c75540a7171cd1e10547c4d9b9b141851ebb7354bb24d",
"sha256": "d3957ed5741f98aea3d6479e0f505f844c6b30a68e65f2046acbb768a8814cc8",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "routes-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-TtRL1zAkKP/fMvdKJxX4Unalt95prA5tvPH3TdkLJ/gyAyknyhXKtZsfTjjAAb+WgrCFs5NV1AG8keNiQ+/qcA==",
"sha1": "740674f10549deb94a448b586c23b976144e9b59"
}
}
],
"domains": [
"7b2268223a227363616e2d396530326561666136653039222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d61626f75742f726f75746573222c2263223a.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-about/routes/MAL-2026-5411.json"