-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall script (node index.js || true) executes automatically and collects host identifiers from the installer's machine — os.hostname(), os.userInfo().username, __dirname, and process.cwd() — then exfiltrates them through two channels. First, the JSON payload is POSTed to a hardcoded bare IP http://172.201.213.59:9090/c. Second, the data is hex-encoded into a subdomain and resolved via DNS against *.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live, an Interactsh out-of-band beacon. The || true suffix swallows any error so the install always succeeds silently. Although the package metadata describes itself as 'security research', every installer is harmed: host reconnaissance fires unconditionally on install with no opt-out and no disclosure.
{
"malicious-packages-origins": [
{
"versions": [
"99.0.1"
],
"id": "IN-MAL-2026-005102",
"import_time": "2026-06-09T17:45:54.800420201Z",
"sha256": "3dc7b28e2c70c166b75e806b589dac5e2aae3dffe338f5b9f2707692dd1b8c17",
"modified_time": "2026-06-09T17:41:29Z",
"source": "amazon-inspector"
},
{
"versions": [
"99.0.1"
],
"id": "IN-MAL-2026-005101",
"modified_time": "2026-06-09T17:41:29Z",
"sha256": "84a4bcae5f6897112304920f60d6cbb6cbe880104db4ef1ff69be17fbb69b8ac",
"import_time": "2026-06-09T17:45:54.771040179Z",
"source": "amazon-inspector"
},
{
"versions": [
"99.0.0"
],
"id": "IN-MAL-2026-005142",
"import_time": "2026-06-09T18:50:19.119930512Z",
"sha256": "36d8d7c327560bb7a4c08d906db240a2dc146e20f828d9dfc5ab79497b155355",
"modified_time": "2026-06-09T17:55:14Z",
"source": "amazon-inspector"
},
{
"versions": [
"99.0.0"
],
"id": "IN-MAL-2026-005143",
"import_time": "2026-06-09T18:50:19.200496564Z",
"modified_time": "2026-06-09T17:55:15Z",
"sha256": "99c9771eea6e1ac9070aeee2d1c4a2264bfd92586e2af228932ca88f5fee0b0f",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "70894a72ac8089a8f10aee8d420131e6179f13f6657f7dc30f3993e2fc2c042c",
"tlsh": "51f0e1e161a0d5f99b709590bdd4668457f3d656b04288f0dc4d0fcf46c24d09d769e1",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "utils-99.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-1TBU/MWPugA8i5/hXTfWvZC8PZ686rS3UzMFrCAjCjqzBZxPTuSI+BvftBQvF3r1QeWg7SIRdPYKqF0wfvUmIQ==",
"sha1": "090ffb365209bc248de504cabc4197416b621e79"
}
}
],
"domains": [
"7b2268223a227363616e2d376232363339653061346434222c2275223a22.7363616e222c2264223a222f686f6d652f7363616e2f6e6f64655f6d6f64.756c65732f406e7374726c6162732f7574696c73222c2263223a222f686f.d8jbmnsqcfu78dfs8vdg34ohqhirb4pbg.oast.live"
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@nstrlabs/utils/MAL-2026-5423.json"