-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall lifecycle hook executes index.js, which collects the installer's hostname, username, package install path (__dirname), current working directory, and package name, serializes them to JSON, hex-encodes the result, and exfiltrates the data through two channels: DNS lookups against subdomains of d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live (an Interactsh out-of-band callback host) and an HTTP POST to the bare IP endpoint http://172.201.213.59:9090/c. The package ships almost no functional code; its purpose is the beacon. The scope @klapp-login-platform paired with an inflated 99.0.2 version and a generic routes name fits the canonical dependency-confusion pattern of publishing a high-version public package to shadow an internal private package of the same name, causing affected build environments to resolve and install this attacker-controlled release.
{
"malicious-packages-origins": [
{
"versions": [
"99.0.2"
],
"sha256": "c9f6b9efd71eddb881438d2ca27620bd74bfb2d294c4c93a31810f9b4a0398be",
"modified_time": "2026-06-09T17:35:02Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005068",
"import_time": "2026-06-09T17:45:52.482280328Z"
},
{
"versions": [
"99.0.2"
],
"sha256": "ffe05a6af27bd4b583c0284a40129eb63f4dcb4a6197e74195a8bb85bf71d1e7",
"modified_time": "2026-06-09T17:35:02Z",
"source": "amazon-inspector",
"import_time": "2026-06-09T17:45:52.373735047Z",
"id": "IN-MAL-2026-005067"
},
{
"versions": [
"99.0.0"
],
"sha256": "e9913ce094c3b9378054947a30b6006a21c13aaac0cca90b707c13a81c962894",
"source": "amazon-inspector",
"modified_time": "2026-06-09T17:50:25Z",
"import_time": "2026-06-09T18:50:17.933705372Z",
"id": "IN-MAL-2026-005128"
},
{
"versions": [
"99.0.0"
],
"sha256": "bb01db4904bb167c8048cc3cb668a0e554a972e0a68c95ff18df9d161affef7f",
"modified_time": "2026-06-09T17:50:25Z",
"source": "amazon-inspector",
"import_time": "2026-06-09T18:50:17.983040368Z",
"id": "IN-MAL-2026-005129"
}
]
}{
"package_integrity": [
{
"filename": "routes-99.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-f5bb4sAmD2CgVUsX6Ls+8wBJdg22O9YtS5EgxcyfXeAEfKmAHZ6K7xv4g6OzBR0vzXWCX6pIOqXTL8b4wAKivQ==",
"sha1": "d961c8641c2be0e25e2d18dc6033b64ce3abca31"
}
}
],
"evidence_files": [
{
"sha256": "750349cd1da7c9d227661c16f90045833969a85566dd871d67ee883d5dc29557",
"path": "index.js",
"tlsh": "74f00ce162b0d0f98b708580ecc4668056b7c256b002c8e4dc0c0ece0ac24e05c76ae1"
},
{
"sha256": "e9809650aaa6c44320524f04e89824561ea013d96df0a3a6f30c84bac913460e",
"path": "package.json",
"tlsh": "65d022381a31b836076142f0a8b5ac4c60f8c2181080cd0c8ee680b085b17e8809e001"
}
],
"domains": [
"7b2268223a227363616e2d633064633039326164646639222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406b6c6170702d6c6f67696e2d706c6174666f726d2f726f75.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@klapp-login-platform/routes/MAL-2026-5415.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]