-= Per source details. Do not edit below this line.=-
package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWSACCESSKEYID, GITHUBTOKEN, NPMTOKEN, DOCKERPASSWORD) — and POSTs the result to a hardcoded Discord webhook (https://discord.com/api/webhooks/1516163806559076442/...). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves setka-editor from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-16T02:14:53Z",
"id": "IN-MAL-2026-006740",
"source": "amazon-inspector",
"import_time": "2026-06-16T02:23:12.169676039Z",
"sha256": "a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069",
"versions": [
"999.0.0"
]
},
{
"modified_time": "2026-06-22T16:26:26Z",
"id": "IN-MAL-2026-007104",
"source": "amazon-inspector",
"import_time": "2026-06-22T16:36:58.368377006Z",
"sha256": "349eadfbed87fb776d89d65217a281f4d259dcddfbd23a1fa087fc206bb2551a",
"versions": [
"999.99.99"
]
},
{
"modified_time": "2026-06-22T16:26:37Z",
"id": "IN-MAL-2026-007105",
"source": "amazon-inspector",
"import_time": "2026-06-22T16:36:58.44309686Z",
"sha256": "f3fb9da9a52ae56ec86c3669e188d366e44f02d4c9b278d84ce6c015d4c3ee2a",
"versions": [
"999.9.9"
]
},
{
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"id": "GHSA-4626-p8q4-554f",
"source": "ghsa-malware",
"import_time": "2026-06-23T07:33:18.907579932Z",
"sha256": "6fb29ab46c42c9962ff0c7b312d2a096be780a465764991d1861ab79fecf200a",
"modified_time": "2026-06-23T06:10:52Z"
}
]
}{
"evidence_files": [
{
"path": "callback.js",
"tlsh": "2e12c6a556b1561005e347a02a1fa416327af1673756deb0bbdc43182fc1b3c93f2eba",
"sha256": "58f088e7a9bdfcc0fce3475ad08d6b964fe704c4ef93d7a3b094fcd5db998c7c"
},
{
"path": "package.json",
"tlsh": "bae0682058155e733cd0ceeb012692592420cd07141c3d0c3b970298935eb775abb6ae",
"sha256": "d04048417cc50a5cfc305df0200164875ee12d453ebf97529eed394048bde59a"
}
],
"package_integrity": [
{
"filename": "setka-editor-999.0.0.tgz",
"hashes": {
"sha1": "6effd8fbbd258b71201571fade147b16c5a2a289",
"sha512_sri": "sha512-nR2hWu01oGWBZYrxY6gvi4ArsN2i/h2GRb3MhrKWnJ5yq3hgSbLl8iVesNf8IoX252LqeLtU4wxbjx0ihxMHag=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/setka-editor/MAL-2026-5859.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]